CVE-2026-50569
Deferred Deferred - Pending Action
HTTPTrigger URL Bypass in Fission

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL β€” and CEL had no rules on those fields either β€” so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-50569
EUVD
EUVD-2026-36073
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fission framework to 1.25.0 (exc)
fission fission to 1.25.0 (exc)
fission fission From 1.25.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Fission, a Kubernetes-native serverless framework, arises from insufficient validation of the RelativeURL and Prefix fields in HTTPTrigger resources prior to version 1.25.0.

Originally, these fields were only validated at the CLI level, and after modernization replaced the admission webhook with API-server CEL validation, no validation rules existed for these fields at the API server level.

As a result, an attacker with permission to create HTTPTriggers could bypass URL-level checks by creating triggers via kubectl or direct Kubernetes API calls with empty, malformed, or reserved paths, such as empty paths, directory traversal sequences, root-only paths, or paths colliding with internal routes.

This could lead to routing disruptions or unauthorized access.

The issue was fixed in version 1.25.0 by adding strict validation rules both at the API server admission layer and in the application code to enforce path safety and prevent such bypasses.

Impact Analysis

This vulnerability can impact you by allowing an attacker with HTTPTrigger creation permissions to create triggers with malformed or unauthorized URL paths.

Such malformed paths can disrupt normal routing behavior within the Fission framework, potentially causing denial of service or interference with legitimate function routing.

Additionally, paths that collide with reserved or internal routes could be exploited to gain unauthorized access or manipulate internal functions, compromising the integrity of the system.

The CVSS score of 4.3 indicates a medium severity impact primarily related to integrity.

Detection Guidance

This vulnerability can be detected by inspecting HTTPTrigger resources in your Kubernetes cluster for malformed or suspicious RelativeURL or Prefix fields that bypass validation rules.

Specifically, look for HTTPTriggers created via kubectl or direct Kubernetes REST API calls that have:

  • Empty RelativeURL and no Prefix specified.
  • Paths containing directory traversal sequences (e.g., /api/../admin).
  • Root-only paths (e.g., /).
  • Paths colliding with router-owned or reserved routes (e.g., /router-healthz, /readyz, /_version, /auth/login).
  • Paths colliding with internal function prefixes (e.g., /fission-function/<namespace>/<name>).

You can use kubectl commands to list and inspect HTTPTrigger resources, for example:

  • kubectl get httptriggers --all-namespaces -o json | jq '.items[] | {name: .metadata.name, namespace: .metadata.namespace, relativeURL: .spec.relativeURL, prefix: .spec.prefix}'
  • kubectl get httptrigger <trigger-name> -n <namespace> -o yaml

Review the output for any RelativeURL or Prefix fields that match the suspicious patterns described above.

Mitigation Strategies

The primary mitigation step is to upgrade your Fission installation to version 1.25.0 or later, where this vulnerability has been patched.

The fix includes adding strict validation rules at the API server admission layer (using CEL) and in the application layer to ensure that HTTPTrigger paths are properly validated.

Until you can upgrade, consider the following immediate actions:

  • Audit existing HTTPTrigger resources for invalid or suspicious RelativeURL and Prefix fields and remove or correct them.
  • Restrict permissions to create or modify HTTPTrigger resources to trusted users only.
  • Monitor Kubernetes API server logs and audit logs for suspicious HTTPTrigger creation or modification attempts.

These steps help prevent exploitation by ensuring only valid HTTPTriggers are deployed and unauthorized path manipulations are detected.

Compliance Impact

The vulnerability allows authenticated users with HTTPTrigger creation permissions to bypass URL-level validation checks, potentially creating malformed or malicious HTTPTriggers that could disrupt routing or gain unauthorized access.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the potential for unauthorized access or routing disruption could impact data integrity and security controls required by these regulations.

Therefore, organizations using affected versions of Fission might face increased risk of non-compliance if this vulnerability is exploited, as it could undermine the integrity and security of applications handling sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50569. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart