Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.
Published: 2026-06-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in builder.go where Environment.spec.builder.command is passed directly to exec.Command after a strings.Fields split, without validating the executable path or its arguments. An attacker who can create or update Environment Custom Resource Definitions in a namespace that the builder manager monitors can set builder.command to any executable inside the builder image, such as '/bin/sh -c ...', thereby running arbitrary code inside the builder pod’s context. This grants full control of the pod and potentially escalated access to the underlying Kubernetes cluster.

Affected Systems

Affected product is Fission, an open‑source, Kubernetes‑native serverless framework. All versions released prior to v1.23.0 are vulnerable. The issue was addressed in the v1.23.0 release.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity. No EPSS score is available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires the ability to create or modify Environment CRDs in namespaces observed by the builder manager, indicating that a typical attack vector would involve privileged control over cluster resources rather than external network reach.

Generated by OpenCVE AI on June 10, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.23.0 or later to apply the fix for builder.command handling.
  • Restrict RBAC permissions so that only trusted service accounts or administrators can create or update Environment CRDs in namespaces monitored by the builder manager.
  • Continuously monitor builder pod activity for unexpected invocation of exec.Command to detect any attempt to abuse the command field.

Generated by OpenCVE AI on June 10, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7pjr-qpvh-m339 Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.
Title Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
Weaknesses CWE-250
CWE-269
CWE-78
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:31:13.669Z

Reserved: 2026-05-15T19:34:14.012Z

Link: CVE-2026-46618

cve-icon Vulnrichment

Updated: 2026-06-10T19:11:17.912Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:05.863

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-46618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses