CVE-2026-50564
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Fission is a serverless framework, native to Kubernetes, which prior to version 1.24.0 had a security issue related to the Environment CRD. The pod specs for runtime and builder lacked filtering for critical fields, potentially allowing unauthorized access to system resources.
Risk Assessment
The absence of proper filters in the pod specs could allow attackers to gain access to sensitive resources, posing a serious threat to the security of the Kubernetes environment.
Recommendation
It is recommended to upgrade Fission to version 1.24.0 or later to mitigate this vulnerability and to conduct an audit of pod configurations to ensure their security.
Original NVD description (English source)
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.

