CVE-2026-50567
Deferred Deferred - Pending Action
Path Traversal in Fission Kubernetes Framework

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod's fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants' /packages/<ns>/ directories, into mounted secret/config volumes, or into the fetcher's own binary. This issue has been patched in version 1.25.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-15
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-50567
EUVD
EUVD-2026-36071
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fission framework 1.25.0
fission fission to 1.24.0 (inc)
fission fission 1.25.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50567 is a Zip Slip vulnerability in the Fission project's Unarchive function located in pkg/utils/zip.go. Prior to version 1.25.0, the function joined each archive entry name with the destination directory path without verifying if the resolved path stayed within the intended destination. This allowed a malicious zip entry with a path like ../../tmp/evil to write files outside the target directory, such as into /tmp/evil.

An attacker who controls a Package.Spec.Source.URL or Deployment.URL archive could exploit this to write files anywhere accessible by the fetcher process, including other tenants' directories, mounted secret or config volumes, or even overwrite the fetcher's own binary.

The vulnerability was fixed in version 1.25.0 by validating archive entries to reject absolute paths, parent directory traversal, and symlinks, and by confining file operations to the destination directory using os.Root.

Impact Analysis

This vulnerability can allow an attacker with the ability to supply package or deployment archives to write arbitrary files outside the intended directory. This can lead to unauthorized modification of files belonging to other tenants, overwriting sensitive mounted secrets or configuration files, or corrupting the fetcher's own executable.

Such unauthorized file writes compromise the integrity of the system and can lead to further exploitation or denial of service. The CVSS v3.1 base score of 7.7 reflects the high impact on integrity with no impact on confidentiality or availability.

Detection Guidance

This vulnerability involves path traversal in zip archive extraction within the Fission framework's fetcher sidecar. Detection involves identifying if any Package.Spec.Source.URL or Deployment.URL archives contain malicious zip entries with path traversal patterns such as "../../" or absolute paths.

You can inspect zip archives used by Fission for suspicious entries by listing their contents and checking for traversal paths.

  • Use the command `unzip -l <archive.zip>` to list the contents of the zip archive and look for entries containing `../` or absolute paths.
  • Use `zipinfo <archive.zip>` for a detailed listing of zip entries to detect suspicious file paths.
  • Monitor Kubernetes audit logs for creation or modification of Package CRDs or Deployments that reference archives with suspicious URLs.

Additionally, review the fetcher sidecar logs for any errors or unusual file writes outside expected directories.

Mitigation Strategies

The primary mitigation is to upgrade the Fission framework to version 1.25.0 or later, where the vulnerability has been fixed.

The fix includes validation of archive entries to reject absolute paths, parent directory traversal, and symlinks, and confines file operations to the destination directory using `os.Root`.

  • Upgrade Fission to version 1.25.0 or newer.
  • If upgrading immediately is not possible, restrict permissions so that only trusted users can create or modify Package CRDs or Deployments that reference archives.
  • Monitor and audit usage of the fetcher sidecar to detect any suspicious activity.

Avoid using untrusted or unauthenticated zip archives as sources for Package.Spec.Source.URL or Deployment.URL.

Compliance Impact

The vulnerability allows an attacker to write files outside the intended directory, potentially overwriting files in other tenants' directories or mounted secret/config volumes. This unauthorized file modification can lead to integrity violations of sensitive data or configurations.

Such integrity compromises could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of data integrity and confidentiality. Unauthorized file writes to secret or configuration volumes may expose or alter sensitive information, thus violating these regulatory requirements.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart