{"id":"GO-2026-5853","summary":"Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage in github.com/sigstore/fulcio","details":"Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage in github.com/sigstore/fulcio","aliases":["CVE-2026-49478","GHSA-f5mr-q85p-6hh6"],"modified":"2026-07-10T18:29:34.740186874Z","published":"2026-07-07T15:26:32Z","related":["CGA-m9fm-v3rr-527q"],"database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-5853"},"references":[{"type":"ADVISORY","url":"https://github.com/sigstore/fulcio/security/advisories/GHSA-f5mr-q85p-6hh6"}],"affected":[{"package":{"name":"github.com/sigstore/fulcio","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/fulcio"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.8.6"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5853.json"}}],"schema_version":"1.7.5"}