CRITICAL🇵🇱 Wersja polska

CVE-2026-50564

CVSS 9.9v3.1pub. 2026-06-10

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.

🤖 AI Analysis
How it works

The Environment CRD resource in Fission exposes spec.runtime.podSpec and spec.builder.podSpec fields, whose contents are merged with internal Kubernetes pod specifications for runtime and builder environments. The merge logic propagated without any filtering fields such as hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName supplied by the user. The Environment.Validate function performed no security checks on these fields, allowing them to be freely overwritten by an unprivileged user.

Impact

An attacker with access to create or modify Environment CRD resources can launch containers with host privileges (hostNetwork, hostPID, hostIPC, privileged) or assume the identity of any ServiceAccount in the cluster, which in practice can lead to complete compromise of a Kubernetes node or the entire cluster.

Mitigation & patch

Fission should be updated to version 1.24.0, where the issue has been fixed. The patch is available in the official GitHub repository of the project: https://github.com/fission/fission/releases/tag/v1.24.0

Who is affected

Fission in versions earlier than 1.24.0 (open-source Kubernetes-native serverless framework)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References