Main Vulnerability Database Vulnerabilities #VU132353

Information disclosure in Fulcio - #VU132353

Published: May 27, 2026

Vulnerability identifier: #VU132353

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Sigstore

Affected software:
Fulcio

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the transport that attaches Kubernetes ServiceAccount tokens when sending OIDC discovery and JWKS requests. A remote attacker can trigger outbound requests to an external host to disclose sensitive information.

The leaked information is the in-cluster Kubernetes ServiceAccount token, including when redirects cross host boundaries or when a wildcard kubernetes MetaIssuer matches an external endpoint while a local Kubernetes issuer is configured.

Remediation

Install security update from vendor's website.

Sources

https://github.com/sigstore/fulcio/security/advisories/GHSA-f5mr-q85p-6hh6

Information disclosure in Fulcio - #VU132353

Detailed vulnerability description

Remediation

Sources

Please verify you're human