Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0.
Published: 2026-06-10
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fission, a Kubernetes-native serverless platform, performed PodSpec validation to restrict capabilities for tenant‑created Functions and Environments, but the denylist omitted CAP_SYS_TIME. An attacker with tenant permissions could specify this capability, bypass admission validation, and run code within a container that gains the ability to set the node’s system clock. This privilege escalation can lead to altered timestamps, misleading logs, and potential denial of service or other time‑dependent attacks.

Affected Systems

The vulnerability affects all released versions of Fission prior to 1.25.0, where the admission webhook and sanitization layer were active. The fix is contained in version 1.25.0 and later.

Risk and Exploitability

The CVSS score of 8.5 signals a high severity issue. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the exploit path is clear: a tenant can create an Environment or Function with the malicious capability. As long as the tenant has write access to CRDs, the attacker can trigger the vulnerability locally on the cluster node, making it a significant risk in multi‑tenant environments.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Fission to version 1.25.0 or newer, which removes the omission from the capability denylist.
  • If an upgrade is delayed, deploy a custom admission webhook or modify the existing one to reject any pod spec that includes CAP_SYS_TIME.
  • Audit existing Functions and Environments for the added capability and temporarily roll back or delete those that contain CAP_SYS_TIME until a patch is applied.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0.
Title Fission: Incomplete capability denylist in Environment/Function PodSpec validation allows tenant-added CAP_SYS_TIME and cross-tenant node wall-clock corruption
Weaknesses CWE-269
CWE-732
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:37:36.661Z

Reserved: 2026-06-04T21:34:34.427Z

Link: CVE-2026-50570

cve-icon Vulnrichment

Updated: 2026-06-10T18:37:19.375Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:13.623

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses