CVE-2026-50569 - Vulnerability Details

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL — and CEL had no rules on those fields either — so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.

Published: 2026-06-10

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from Fission's HTTPTriggerSpec.Validate() missing validation for RelativeURL and Prefix fields. These fields are only checked at the CLI level, and the API server’s modernized webhook and CEL validation rules do not apply. As a result, an attacker can supply arbitrary RelativeURL or Prefix values when creating or updating HTTPTrigger resources via kubectl apply or direct REST API calls. This bypasses URL‑level restrictions, potentially allowing unauthorized function exposure or manipulation, and falls under CWE‑20 (Improper Input Validation).

Affected Systems

The flaw affects all Fission releases older than v1.25.0. Users running any version of the fission serverless framework on Kubernetes that includes HTTPTrigger resources are susceptible until the update is applied.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. The EPSS score is unavailable, and the vulnerability is not listed in CISA's KEV catalog. An exploit requires permissions to create or modify HTTPTrigger objects, which typically translates to cluster‑level RBAC or component‑level service accounts. Attackers with such privileges could inject arbitrary URLs, potentially exposing internal endpoints or allowing unintended traffic routing. The lack of a public exploit reduces current risk, but the vulnerability remains exploitable until remediated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fission

affected

Version	Status	Constraints
`< 1.25.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fission deployment to v1.25.0 or newer to apply the official fix.
Limit RBAC permissions for creating or updating HTTPTrigger resources to trusted users or service accounts only.
Implement a custom validating webhook that enforces RelativeURL and Prefix checks when no upgrade path is immediately available.

Generated by OpenCVE AI on June 10, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/fission/fission/pull/3464
https://github.com/fission/fission/releases/tag/v1.25.0
https://github.com/fission/fission/security/advisories/GHSA-vchh-r53j-8mpw

History

Wed, 10 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL — and CEL had no rules on those fields either — so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.
Title		Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypasses CLI checks
Weaknesses		CWE-20
References		https://github.com/fission/fission/pull/3464 https://github.com/fission/fission/releases/tag/v1.25.0 https://github.com/fission/fission/security/advisories/GHSA-vchh-r53j-8mpw
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T17:34:00.302Z

Updated: 2026-06-10T18:57:26.915Z

Reserved: 2026-06-04T21:34:34.427Z

Link: CVE-2026-50569

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-06-10T18:17:13.483

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50569

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object