CVE-2026-50563
Deferred Deferred - Pending Action
Privilege Escalation in Fission Kubernetes Framework

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. This issue has been patched in version 1.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-50563
EUVD
EUVD-2026-36099
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
open_source_fission fission to 1.24.0 (exc)
fission fission to 1.24.0 (exc)
fission fission 1.24.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50563 is a critical vulnerability in Fission, a Kubernetes-native serverless framework. The issue occurs because the Container Executor path allows a tenant to supply a crafted Function.spec.podspec that is merged into the executor-built podspec without proper validation. This merge process can include dangerous pod-security configurations such as host namespaces, privileged containers, and hostPath volumes.

The vulnerability arises from two main flaws: first, the validation function only checks if spec.PodSpec is non-nil but does not inspect its content; second, the merge function forwards unsafe settings unconditionally into the Deployment specification. This allows a tenant with minimal permissions (functions.fission.io/create) to escalate privileges and potentially escape the node by deploying a privileged pod that mounts the host root filesystem.

The issue was patched in version 1.24.0 by adding strict validation to reject unsafe podspec configurations and applying sanitization similar to that used for the Environment path.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation, node escape, and potentially full cluster takeover. An attacker with low privileges can deploy a pod with dangerous configurations that bypass security controls, gaining access beyond their intended scope.

  • Confidentiality impact: unauthorized access to sensitive data on the node or cluster.
  • Integrity impact: ability to modify or interfere with system or application processes.
  • Availability impact: disruption or denial of service by compromising critical components.

The vulnerability requires low privileges and no user interaction, making it highly exploitable and dangerous in Kubernetes environments using vulnerable Fission versions.

Detection Guidance

This vulnerability involves unsafe PodSpec configurations in Fission functions or environments that allow privilege escalation. To detect it, you should inspect the PodSpec fields of deployed Fission Functions and Environments for dangerous settings such as host namespaces, privileged containers, hostPath volumes, and dangerous Linux capabilities.

You can use kubectl commands to list and examine the PodSpec of Fission Functions and Environments for unsafe configurations.

  • kubectl get functions -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.spec.podspec}{"\n\n"}{end}'
  • kubectl get environments -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.spec.podspec}{"\n\n"}{end}'

Look specifically for fields like hostNetwork, hostPID, hostIPC, privileged, allowPrivilegeEscalation, hostPath volumes, and Linux capabilities such as SYS_ADMIN or NET_ADMIN.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Fission to version 1.24.0 or later, where the issue has been patched.

The patch adds validation to reject unsafe PodSpec configurations and applies sanitization to prevent dangerous fields from being merged into deployments.

Additionally, ensure that admission webhooks enforcing denylist validation of hazardous PodSpec fields are active and properly configured to block creation or updates of Functions or Environments with unsafe settings.

Review and restrict tenant permissions to minimize the risk of privilege escalation, especially limiting the functions.fission.io/create permission to trusted users.

Compliance Impact

The vulnerability in Fission allows a tenant with low privileges to escalate their permissions and achieve node escape by deploying privileged pods with host root filesystem access. This leads to a critical impact on confidentiality, integrity, and availability of the affected Kubernetes cluster.

Such a compromise can result in unauthorized access to sensitive data and disruption of services, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data confidentiality and system integrity.

Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to potential data breaches and loss of control over protected environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50563. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart