Skip to main content

Fission CVE-2026-50568

| EUVDEUVD-2026-36072 LOW
Improper Resolution of Path Equivalence (CWE-41)
2026-06-10 GitHub_M
3.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.6 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 19:04 vuln.today
Analysis Generated
Jun 10, 2026 - 19:04 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.

AnalysisAI

Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Fission is a Kubernetes-native serverless framework (CPE: cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:*) that uses shared volumes between its builder and fetcher components to stage function packages. The root cause is CWE-41 (Improper Resolution of Path Equivalence): the retired SanitizeFilePath helper called Go's strings.HasPrefix(path, safedir) to enforce directory confinement, but this is a string-level check that does not honor filesystem path semantics. Because strings.HasPrefix does not require the matched prefix to end at a path separator, any sibling directory whose name shares the safe directory's string prefix bypasses the check entirely. The fix, introduced in PRs #3445 and #3446, replaces all call sites with a family of os.OpenRoot-based helpers (RootJoin, RootStat, RootWriteFile, RootMkdirAll, RootRename) that confine every filesystem operation to an explicitly opened directory file descriptor, making escape structurally impossible rather than textually validated.

RemediationAI

Vendor-released patch: v1.25.0. Upgrade Fission to version 1.25.0 or later, available at https://github.com/fission/fission/releases/tag/v1.25.0. The fix eliminates the vulnerable SanitizeFilePath helper entirely, replacing it with os.OpenRoot-based wrappers (RootJoin, RootStat, RootWriteFile, RootMkdirAll, RootRename) that use Linux's openat-family syscalls to structurally confine all path operations. For deployments that cannot immediately upgrade, a compensating control is to enforce strict Kubernetes RBAC and admission policies that prevent tenants from creating arbitrary directories or PersistentVolumeClaims on shared volumes used by the builder and fetcher - this directly removes the attacker's prerequisite of controlling a sibling directory. Note that this workaround requires careful policy scoping and does not fix the underlying code defect. Full remediation details are in PRs #3445 and #3446 at https://github.com/fission/fission/pull/3445 and https://github.com/fission/fission/pull/3446.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-50568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy