Impact Three security vulnerabilities were identified in the OIDC Discovery client: 1. Blind Server-Side Request Forgery (SSRF) via Cross-Host Redirects: Fulcio uses an HTTP client to fetch OIDC discovery metadata (/.we…
| CVE ID | CVE-2026-49478 |
| Vendor | go |
| Affected Product | github.com/sigstore/fulcio |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
/.well-known/openid-configuration). Prior to this fix, if a configured issuer returned an HTTP redirect to a different host, the client followed it by default. This allowed a compromised or malicious issuer to redirect Fulcio's discovery requests to internal-only systems, resulting in blind SSRF. 2. JWKS Substitution and Cache Poisoning: Because cross-host redirects were permitted during OIDC discovery, an attacker could manipulate the discovery flow to return a malicious jwks_uri pointing to an attacker-controlled host. When Fulcio successfully initialized the prSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.