CVE-2026-50564— Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Possible ATT&CK Techniques 3AI
T1136.001 · Local Account T1136.003 · Cloud Account T1610 · Deploy ContainerGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50564
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fission 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fission是Fission开源的一个基于Kubernetes的函数部署框架。 Fission 1.24.0之前版本存在安全漏洞,该漏洞源于Environment CRD暴露的spec.runtime.podSpec和spec.builder.podSpec在合并时未过滤hostNetwork、hostPID、hostIPC、容器特权模式和serviceAccountName等字段,且Environment.Validate未进行安全相关检查。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-50564
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8138 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-50564
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-50564 (1)
Vendor Advisories for CVE-2026-50564 (1)
Vendor Pages for CVE-2026-50564 (1)
Same Patch Batch · fission · 2026-06-10 · 17 CVEs total
| CVE-2026-50563 | 9.9 CRITICAL | Fission Container Executor Function PodSpec Injection Leading to Node Escape |
| CVE-2026-50566 | 9.9 CRITICAL | Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows |
| CVE-2026-50545 | 9.9 CRITICAL | Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover |
| CVE-2026-46614 | 9.8 CRITICAL | Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invo |
| CVE-2026-46612 | 8.8 HIGH | Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function arc |
| CVE-2026-49824 | 8.5 HIGH | Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function |
| CVE-2026-50570 | 8.5 HIGH | Fission: Incomplete capability denylist in Environment/Function PodSpec validation allows |
| CVE-2026-49823 | 7.7 HIGH | Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission web |
| CVE-2026-49822 | 7.7 HIGH | Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant |
| CVE-2026-49821 | 7.7 HIGH | Fission: Cross-namespace Environment reference in Package allows build-time command execut |
| CVE-2026-50567 | 7.7 HIGH | Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetcher to write outside the destin |
| CVE-2026-50565 | 4.9 MEDIUM | Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-suppl |
| CVE-2026-50569 | 4.3 MEDIUM | Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypass |
| CVE-2026-50568 | 3.6 LOW | Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape |
| CVE-2026-46617 | Fission runtime pods automount the fission-fetcher service-account token into the user fun | |
| CVE-2026-46618 | Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, |
IV. Related Vulnerabilities
Same product: fission
- CVE-2026-50570
Fission: Incomplete capability denylist in Environment/Funct - CVE-2026-50569
Fission: HTTPTrigger admission omits RelativeURL / Prefix va - CVE-2026-50568
Fission: SanitizeFilePath lexical HasPrefix bypass permits s - CVE-2026-50567
Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetch - CVE-2026-50566
Fission: Environment Runtime.Container and Builder.Container
Same vendor: fission
- CVE-2026-50570
Fission: Incomplete capability denylist in Environment/Funct - CVE-2026-50569
Fission: HTTPTrigger admission omits RelativeURL / Prefix va - CVE-2026-50568
Fission: SanitizeFilePath lexical HasPrefix bypass permits s - CVE-2026-50567
Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetch - CVE-2026-50566
Fission: Environment Runtime.Container and Builder.Container
Same weakness: CWE-269
- CVE-2026-12217
DVDFab Virtual Drive Signed Kernel Driver dvdfabio.sys privi - CVE-2026-45176
Idira Endpoint Privilege Manager Agent: Local Privilege Esca - CVE-2026-50570
Fission: Incomplete capability denylist in Environment/Funct - CVE-2026-50563
Fission Container Executor Function PodSpec Injection Leadin - CVE-2026-50545
Fission Environment CRD PodSpec Injection Leading to Node Es
V. Comments for CVE-2026-50564
No comments yet