Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Fission’s Environment Custom Resource Definition, which exposes pod specification fields—such as hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName—to user input without validation. When an Environment object is created or updated, these fields are merged into the runtime and builder pod specs, allowing an attacker to spawn privileged or host‑level pods that can bypass normal Kubernetes isolation. This leads to full compromise of the node, giving an attacker root-level access to the underlying host machine and potentially to the entire cluster.

Affected Systems

All installations of the Fission serverless framework running a version earlier than 1.24.0 are affected. The issue is present in every release prior to the 1.24.0 update, and any Environment CRD in those versions that contains unfiltered podSpec values is vulnerable.

Risk and Exploitability

The CVSS score of 9.9 classifies this as critical severity. While no EPSS score is available, the lack of a CISA KEV listing does not diminish the inherent risk; Kubernetes environments are a high-value target for attackers seeking escalation. The likely attack vector requires the ability to create or modify Environment objects, typically granted to developers or CI/CD systems; from that position an attacker can inject privileged pods, effectively escaping the node containment. This can lead to persistently compromised hosts, data exfiltration, or further lateral movement within the cluster.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.24.0 or later as released by the vendor.
  • After the upgrade, review all existing Environment resources and delete or patch any that set hostNetwork, hostPID, hostIPC, privileged, or non‑default serviceAccountName.
  • Deploy an admission controller that blocks creation of Environment CRDs containing hostNetwork, hostPID, hostIPC, privileged, or non-default serviceAccountName fields to prevent future misuse.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gx55-f84r-v3r7 Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
History

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Fission
Fission fission
Vendors & Products Fission
Fission fission

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.
Title Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Weaknesses CWE-269
CWE-284
CWE-693
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Fission Fission
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T03:55:21.976Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50564

cve-icon Vulnrichment

Updated: 2026-06-10T18:47:39.902Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:12.740

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:41:17Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-693

    Protection Mechanism Failure