Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fission is an open‑source, Kubernetes‑native serverless platform. In versions prior to 1.24.0 the Container Executor allows a tenant to include a custom Function.spec.podspec, which the executor merges directly into the pod specification that it subsequently uses to create a Deployment. This merge occurs before the Deployment is instantiated, permitting the tenant to inject arbitrary container and pod settings. If an attacker supplies malicious podspec content, the resulting pod will execute at the node level with the node's privileges, effectively escaping the tenant’s security boundaries. The weakness demonstrates Improper Privilege Management (CWE‑269) and Improper Access Control (CWE‑284).

Affected Systems

Every installation of Fission earlier than version 1.24.0 is affected. The issue resides in the Container Executor component, and any tenant that can define Function.spec.podspec values against a vulnerable cluster is at risk. The patch is distributed with Fission release 1.24.0 and later versions no longer merge unvalidated podspecs.

Risk and Exploitability

The vulnerability has a CVSS score of 9.9, indicating critical severity. An EPSS score is not provided, and the feature is not listed in CISA’s KEV catalog, but the high CVSS remains a strong indicator of potential impact. The likely attack vector is an actor with tenant‑level permissions in a shared Kubernetes cluster who supplies a malicious podspec; this inference is drawn from the description that the tenant supplies Function.spec.podspec. Successful exploitation would give the attacker full control over the affected node, bypassing typical pod‑security restrictions.

Generated by OpenCVE AI on June 10, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.24.0 or newer, which removes the insecure podspec merge behaviour.
  • If an upgrade cannot be performed immediately, modify tenant permissions so that Function.spec.podspec cannot be supplied or enforce a restrictive schema validator that rejects unsafe pod configuration before merging.
  • Deploy admission controllers or RBAC policies that restrict the creation of Deployments or injection of pod specifications to only trusted administrators, thereby preventing unauthenticated podspec injection.

Generated by OpenCVE AI on June 10, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v455-mv2v-5g92 Fission Container Executor Function PodSpec Injection Leading to Node Escape
History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fission
Fission fission
Vendors & Products Fission
Fission fission

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. This issue has been patched in version 1.24.0.
Title Fission Container Executor Function PodSpec Injection Leading to Node Escape
Weaknesses CWE-269
CWE-284
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T03:55:20.899Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50563

cve-icon Vulnrichment

Updated: 2026-06-11T13:57:23.910Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:12.607

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:41:19Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control