<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fulcio (&lt;= 1.8.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/fulcio--1.8.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:03:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/fulcio--1.8.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>Sigstore Fulcio Vulnerabilities: OIDC Discovery Redirect Leads to SSRF, JWKS Substitution, and Kubernetes Token Leakage (CVE-2026-49478)</title><link>https://feed.craftedsignal.io/briefs/2026-07-sigstore-fulcio-oidc-ssrf-jwks-cve-2026-49478/</link><pubDate>Fri, 03 Jul 2026 13:03:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sigstore-fulcio-oidc-ssrf-jwks-cve-2026-49478/</guid><description>A high-severity vulnerability (CVE-2026-49478) in Sigstore Fulcio's OIDC discovery client allows blind Server-Side Request Forgery (SSRF) via cross-host redirects, facilitates JWKS substitution for cache poisoning, and causes Kubernetes ServiceAccount token leakage to external attackers, potentially compromising supply chain integrity and cluster resources.</description><content:encoded><![CDATA[<p>Three critical security vulnerabilities (CVE-2026-49478) have been identified in the OIDC Discovery client within Sigstore Fulcio versions up to and including 1.8.5. Fulcio, a certificate authority for Sigstore, is crucial for verifying the authenticity of software artifacts in the supply chain. Prior to this fix, Fulcio's OIDC discovery process could be exploited by a malicious or compromised OIDC issuer. This allowed attackers to redirect Fulcio's internal HTTP requests to internal systems, leading to blind Server-Side Request Forgery (SSRF). Furthermore, attackers could poison Fulcio's verifier cache by substituting legitimate JSON Web Key Sets (JWKS) with attacker-controlled ones, enabling the forging of signatures. Compounding these issues, Fulcio's integration with Kubernetes meant ServiceAccount tokens could be leaked to external hosts during OIDC discovery, granting attackers potential access to Kubernetes cluster resources. These flaws severely undermine the integrity and security guarantees provided by Fulcio.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker either controls a malicious OIDC issuer or compromises a legitimate one configured for Fulcio.</li>
<li>Fulcio, during its OIDC discovery process, initiates a request to fetch metadata (<code>/.well-known/openid-configuration</code>) from the attacker-controlled OIDC issuer.</li>
<li>The malicious OIDC issuer responds with an HTTP 3xx redirect to an internal IP address or hostname within Fulcio's network, such as the Kubernetes API server (<code>https://kubernetes.default.svc</code>), triggering a blind SSRF.</li>
<li>Simultaneously, the attacker-controlled issuer can provide a <code>jwks_uri</code> in its discovery response that points to an endpoint under the attacker's control.</li>
<li>Fulcio, following the malicious <code>jwks_uri</code>, fetches the attacker's JSON Web Key Set (JWKS) and caches it, effectively poisoning its internal verifier cache.</li>
<li>With the poisoned cache, the attacker can now forge signatures for software artifacts that Fulcio will validate as legitimate, bypassing critical integrity checks in the supply chain.</li>
<li>During these redirected HTTP requests and JWKS fetches, Fulcio inappropriately attaches its mounted Kubernetes ServiceAccount token to outbound requests directed towards the external, attacker-controlled hosts.</li>
<li>This leakage exposes the Kubernetes ServiceAccount token to the attacker, potentially enabling further reconnaissance, privilege escalation, and direct access to the Kubernetes cluster API and its resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The identified vulnerabilities have severe consequences across several domains. The blind SSRF allows attackers to probe and potentially interact with internal network services and infrastructure that would otherwise be inaccessible, potentially revealing sensitive information or enabling further internal attacks. JWKS substitution directly compromises the integrity verification process, allowing attackers to sign and distribute malicious software that appears legitimate, undermining the trust model of Sigstore and supply chain security. Most critically, the leakage of Kubernetes ServiceAccount tokens provides attackers with credentials that can be used to gain unauthorized access to the Kubernetes cluster. This can lead to full cluster compromise, data exfiltration, resource manipulation, and deployment of malicious workloads, affecting a wide range of organizations using Fulcio for artifact signing and verification, particularly those deployed within Kubernetes environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Upgrade immediately</strong>: Patch affected Sigstore Fulcio instances to version 1.8.6 or newer to address CVE-2026-49478.</li>
<li><strong>Monitor application logs</strong>: Review application logs for Fulcio's OIDC discovery process for unusual HTTP redirects or fetches from unexpected <code>jwks_uri</code> endpoints, although the SSRF is blind and direct detection may be challenging.</li>
<li><strong>Review Kubernetes ServiceAccount usage</strong>: Audit the permissions granted to the Kubernetes ServiceAccounts used by Fulcio to ensure they adhere to the principle of least privilege, minimizing the impact of potential token leakage as described in CVE-2026-49478.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>supply-chain-security</category><category>kubernetes</category><category>oidc</category><category>ssrf</category><category>jwks</category><category>cve</category></item></channel></rss>