CVE-2026-50564 - Vulnerability Details

- Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.

Published: 2026-06-10

Score: 9.9 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in Fission’s Environment Custom Resource Definition, which exposes pod specification fields—such as hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName—to user input without validation. When an Environment object is created or updated, these fields are merged into the runtime and builder pod specs, allowing an attacker to spawn privileged or host‑level pods that can bypass normal Kubernetes isolation. This leads to full compromise of the node, giving an attacker root-level access to the underlying host machine and potentially to the entire cluster.

Affected Systems

All installations of the Fission serverless framework running a version earlier than 1.24.0 are affected. The issue is present in every release prior to the 1.24.0 update, and any Environment CRD in those versions that contains unfiltered podSpec values is vulnerable.

Risk and Exploitability

The CVSS score of 9.9 classifies this as critical severity. While no EPSS score is available, the lack of a CISA KEV listing does not diminish the inherent risk; Kubernetes environments are a high-value target for attackers seeking escalation. The likely attack vector requires the ability to create or modify Environment objects, typically granted to developers or CI/CD systems; from that position an attacker can inject privileged pods, effectively escaping the node containment. This can lead to persistently compromised hosts, data exfiltration, or further lateral movement within the cluster.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fission

affected

Version	Status	Constraints
`< 1.24.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Fission to version 1.24.0 or later as released by the vendor.
After the upgrade, review all existing Environment resources and delete or patch any that set hostNetwork, hostPID, hostIPC, privileged, or non‑default serviceAccountName.
Deploy an admission controller that blocks creation of Environment CRDs containing hostNetwork, hostPID, hostIPC, privileged, or non-default serviceAccountName fields to prevent future misuse.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/fission/fission/pull/3391
https://github.com/fission/fission/releases/tag/v1.24.0
https://github.com/fission/fission/security/advisories/GHSA-gx55-f84r-v3r7

History

Wed, 10 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.
Title		Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Weaknesses		CWE-269 CWE-284 CWE-693
References		https://github.com/fission/fission/pull/3391 https://github.com/fission/fission/releases/tag/v1.24.0 https://github.com/fission/fission/security/advisories/GHSA-gx55-f84r-v3r7
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T17:27:34.232Z

Updated: 2026-06-10T18:47:43.631Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50564

Vulnrichment

Updated: 2026-06-10T18:47:39.902Z

NVD

Status : Deferred

Published: 2026-06-10T18:17:12.740

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50564

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T20:15:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object