CVE-2026-46618
Deferred Deferred - Pending Action
Fission Builder Command Injection Vulnerability

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46618
EUVD
EUVD-2026-36093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fission fission 1.23.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46618 is a vulnerability in Fission, an open-source Kubernetes-native serverless framework. The issue occurs because the builder component passes user-supplied commands directly to the system's exec.Command function without validating the executable path or its arguments. This allows an attacker who has permissions to create or update Environment Custom Resource Definitions (CRDs) to inject and execute arbitrary code inside the builder pod.

Specifically, an attacker can specify any executable inside the builder image (for example, /bin/sh -c '...') to run malicious commands within the builder pod's context. This vulnerability was fixed in version 1.23.0 by adding validation to ensure only safe, absolute paths are accepted.

Impact Analysis

This vulnerability can allow an attacker with Environment CRD create or update privileges to execute arbitrary code inside the builder pod. This could lead to unauthorized file access or modification within the builder pod's filesystem and the namespace's package contents.

The impact is limited to the builder pod and its namespace, but it could enable attackers to manipulate build processes, compromise the integrity of deployed functions, or escalate further attacks within that scope.

Until patched, mitigations include restricting Environment CRD modifications to trusted operators, auditing existing commands, and tightening permissions of the builder manager's ServiceAccount.

Detection Guidance

This vulnerability can be detected by auditing Environment Custom Resource Definitions (CRDs) in your Kubernetes namespaces for suspicious or unexpected values in the Environment.spec.builder.command field. Since the vulnerability involves injection of arbitrary commands into this field, reviewing these commands can help identify exploitation attempts.

Additionally, monitoring the builder pod logs and filesystem for unauthorized command executions or unexpected file modifications can help detect exploitation.

  • Use kubectl to list Environment CRDs and inspect the builder.command field: kubectl get environments -A -o jsonpath='{range .items[*]}{.metadata.namespace} {.metadata.name} {.spec.builder.command}{"\n"}{end}'
  • Check builder pod logs for suspicious command execution: kubectl logs -n <builder-namespace> <builder-pod-name>
  • Audit Role-Based Access Control (RBAC) permissions to identify who can create or update Environment CRDs: kubectl get rolebindings,clusterrolebindings -A | grep builder
Mitigation Strategies

Immediate mitigation steps include restricting the ability to create or update Environment CRDs to trusted operators only, thereby preventing untrusted users from injecting malicious commands.

Audit and review existing Environment CRDs for any suspicious or unsafe builder.command values and correct or remove them.

Tighten the permissions of the builder manager's ServiceAccount to follow the principle of least privilege, limiting its ability to execute arbitrary commands.

Upgrade Fission to version 1.23.0 or later, where the vulnerability is patched by validating the builder command paths to allow only safe, absolute paths.

Compliance Impact

The CVE-2026-46618 vulnerability allows an attacker with privileges to create or update Environment CRDs to execute arbitrary code within the builder pod, potentially leading to unauthorized file access or modification within the builder pod's namespace.

Such unauthorized code execution and file access could pose risks to data confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the impact is limited to the builder pod's filesystem and namespace package contents, and the vulnerability does not directly disclose personal or protected health information.

Organizations using affected versions should mitigate the risk by restricting Environment CRD modifications to trusted operators and upgrading to the patched version to maintain compliance with security requirements of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart