CVE-2026-46618
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Fission is a serverless framework, Kubernetes-native, that prior to version 1.23.0 had a security vulnerability. In pkg/builder/builder.go, the Environment.spec.builder.command was passed without validation, allowing arbitrary code execution in the builder pod context.
Risk Assessment
This vulnerability allowed users who could create or update Environment CRDs to point to any executable in the builder image, posing a significant security threat to applications running on Kubernetes.
Recommendation
It is recommended to upgrade to version 1.23.0 or later to mitigate this vulnerability and to implement additional command validation mechanisms in the future.
Original NVD description (English source)
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.

