Skip to main content

Fission CVE-2026-50569

| EUVDEUVD-2026-36073 MEDIUM
Improper Input Validation (CWE-20)
2026-06-10 GitHub_M
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 19:04 vuln.today
Analysis Generated
Jun 10, 2026 - 19:04 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL - and CEL had no rules on those fields either - so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.

AnalysisAI

Input validation bypass in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows authenticated users with Kubernetes API access to create HTTPTrigger resources with malformed or unsafe URL paths, achieving low-integrity routing manipulation. The RelativeURL and Prefix fields in HTTPTriggerSpec were validated only at the Fission CLI layer; when the post-CRD-modernization admission webhook was retired in favor of API-server CEL, no CEL rules were authored for those two fields - leaving a complete gap exploitable via kubectl apply or direct Kubernetes REST API calls. No public exploit code exists and this CVE is not listed in CISA KEV, but the bypass is straightforward for any cluster user with HTTPTrigger create rights.

Technical ContextAI

Fission implements serverless functions on Kubernetes using Custom Resource Definitions (CRDs); HTTPTrigger CRD resources map URL paths to deployed functions via the Fission router. The root cause is CWE-20 (Improper Input Validation): HTTPTriggerSpec.Validate() in pkg/apis/core/v1/validation.go enforced constraints on Methods, FunctionReference, Host, IngressConfig, and CorsConfig but silently skipped the RelativeURL and Prefix fields. Path safety was only enforced in pkg/fission-cli/cmd/httptrigger/create.go:83, which is only reached by the Fission CLI tool. During CRD modernization, Fission retired its HTTPTrigger admission webhook and adopted Kubernetes API-server CEL expressions for validation - but the replacement CEL rules in crds/v1/fission.io_httptriggers.yaml contained no constraints on relativeurl or prefix, making the API-server admission gate equivalent to no-op for those fields. The affected CPE is cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:* (all versions before 1.25.0). The fix in PR #3464 adds matching CEL x-kubernetes-validations rules directly into the CRD YAML and mirrors them in a new validateTriggerPath() Go function, ensuring both the API server and the CLI agree on what paths are admissible.

RemediationAI

Upgrade Fission to version 1.25.0, which is confirmed patched per the GitHub release at https://github.com/fission/fission/releases/tag/v1.25.0 and the security advisory GHSA-vchh-r53j-8mpw. The fix adds CEL x-kubernetes-validations rules directly into the HTTPTrigger CRD and mirrors them in Go validation code, closing the bypass for both kubectl apply and REST API paths. If an immediate upgrade is not feasible, a compensating control is to restrict Kubernetes RBAC permissions so that only highly trusted principals (e.g., a dedicated Fission operator service account) hold create and update rights on the httptriggers.fission.io CRD; this limits the population of potential abusers but does not eliminate the validation gap. Auditing existing HTTPTrigger resources for suspicious RelativeURL or Prefix values - particularly those containing .., starting with /fission-function/, or matching /router-healthz, /readyz, /_version, or /auth/login - should be performed on all pre-1.25.0 clusters before upgrading. Note that tightening RBAC for HTTPTrigger CRs may break developer self-service workflows that rely on direct kubectl access.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-50569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy