CVE-2026-29042
Command Injection in Nuclio Shell Runtime via HTTP Header
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iguazio | nuclio | to 1.15.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-75 | The product does not adequately filter user-controlled input for special elements with control implications. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29042 is a command injection vulnerability in the Nuclio Shell Runtime component prior to version 1.15.20. The issue arises because the runtime reads the HTTP header X-Nuclio-Arguments and directly incorporates its value into shell commands executed via sh -c without any validation or sanitization.'}, {'type': 'paragraph', 'content': 'This allows attackers to inject arbitrary OS commands using shell metacharacters such as ;, backticks (`), $(), |, and &&. The vulnerable code concatenated user-supplied arguments into a single command string, which the shell then interprets, enabling command injection.'}, {'type': 'paragraph', 'content': "The root cause was the use of sh -c with a joined command string instead of executing the command with separate arguments. The vulnerability was fixed by replacing this with Go's exec.CommandContext that runs commands directly without shell interpretation, preventing injection."}] [2, 3, 4]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker with permission to invoke functions to execute arbitrary commands with root privileges inside the function container.
This can lead to unauthorized reading of sensitive files such as Kubernetes ServiceAccount tokens, which often have cluster-admin privileges.
With these tokens, an attacker can gain full control over the Kubernetes cluster, including reading secrets, modifying resources, deploying malicious workloads, altering RBAC policies, and establishing persistent backdoors.
The impact covers confidentiality (high), integrity (high), and availability (medium), potentially causing data breaches, supply chain compromises, ransomware, or denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves injection of malicious shell commands via the HTTP header X-Nuclio-Arguments when invoking Nuclio functions. Detection can focus on monitoring HTTP requests to Nuclio functions for suspicious or unusual values in this header containing shell metacharacters such as ;, `, $(), |, and &&.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by capturing and inspecting HTTP traffic targeting Nuclio functions, looking specifically for the presence of these shell metacharacters in the X-Nuclio-Arguments header.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring function container logs for unexpected command execution or unusual output (e.g., presence of injected strings or unauthorized file contents) can help identify exploitation.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using network packet capture tools (e.g., tcpdump or Wireshark) with filters for HTTP headers, or using curl to test function endpoints with crafted X-Nuclio-Arguments headers containing suspicious characters to verify if the system is vulnerable.'}, {'type': 'list_item', 'content': 'Example curl command to test for vulnerability: curl -H "X-Nuclio-Arguments: ;id" http://<nuclio-function-endpoint>'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic and filter for X-Nuclio-Arguments header: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Nuclio-Arguments'"}, {'type': 'list_item', 'content': 'Check function container logs for unexpected command output or errors indicating command injection attempts.'}] [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the Nuclio Shell Runtime component entirely to prevent exploitation of the command injection vulnerability.
Restrict function deployment permissions using Kubernetes RBAC to trusted users only, minimizing the risk of malicious function invocation.
Apply network policies to restrict egress traffic from function pods, limiting the ability of an attacker to exfiltrate data even if exploitation occurs.
Upgrade Nuclio to version 1.15.20 or later, where the vulnerability has been fixed by removing the use of shell command concatenation and using safe parameterized command execution.
- Disable Shell Runtime via platform configuration: set platformConfig.runtimes.shell.enabled to false.
- Restrict Kubernetes RBAC permissions for function deployment and invocation.
- Implement network policies to limit pod egress traffic.
- Upgrade Nuclio to version 1.15.20 or later to apply the official patch.