CRITICAL🇵🇱 Wersja polska

CVE-2026-50545

CVSS 9.9v3.1pub. 2026-06-10

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. This issue has been patched in version 1.24.0.

🤖 AI Analysis
How it works

The Environment.spec.runtime.podSpec and spec.builder.podSpec fields were passed to generated pods without any validation. The MergePodSpec function propagated unsafe configuration values directly to the specification of created pods. An attacker with permissions to create or modify Environment objects in Fission could inject malicious podSpec parameters — such as mounting sensitive host paths, privileged container settings, or overriding security context — which were then automatically applied in running pods.

Impact

An attacker can obtain elevated privileges within a Kubernetes cluster, potentially leading to node takeover, access to sensitive cluster resources, and compromise of confidentiality, integrity, and availability of the entire environment.

Mitigation & patch

Fission should be updated to version 1.24.0, which introduces validation of podSpec fields and restricts the propagation of unsafe configurations through MergePodSpec. Details are available in the v1.24.0 release and pull requests #3390 and #3391 in the project repository.

Who is affected

Fission (open-source serverless framework for Kubernetes) in versions before 1.24.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References