CVE-2026-50568— Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50568
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径等价的解析不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fission 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fission是Fission开源的一个基于Kubernetes的函数部署框架。 Fission 1.25.0之前版本存在安全漏洞,该漏洞源于SanitizeFilePath函数使用字符串前缀检查而非目录边界检查,导致以安全目录字符串开头的兄弟目录被接受,租户可通过控制fetcher/构建器共享卷下的兄弟目录诱导写入或读取安全目录之外的文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-50568
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-50568
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-50568 (1)
Vendor Advisories for CVE-2026-50568 (1)
Same Patch Batch · fission · 2026-06-10 · 17 CVEs total
| CVE-2026-50563 | 9.9 CRITICAL | Fission Container Executor Function PodSpec Injection Leading to Node Escape |
| CVE-2026-50566 | 9.9 CRITICAL | Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows |
| CVE-2026-50545 | 9.9 CRITICAL | Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover |
| CVE-2026-50564 | 9.9 CRITICAL | Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, n |
| CVE-2026-46614 | 9.8 CRITICAL | Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invo |
| CVE-2026-46612 | 8.8 HIGH | Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function arc |
| CVE-2026-49824 | 8.5 HIGH | Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function |
| CVE-2026-50570 | 8.5 HIGH | Fission: Incomplete capability denylist in Environment/Function PodSpec validation allows |
| CVE-2026-49823 | 7.7 HIGH | Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission web |
| CVE-2026-49822 | 7.7 HIGH | Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant |
| CVE-2026-49821 | 7.7 HIGH | Fission: Cross-namespace Environment reference in Package allows build-time command execut |
| CVE-2026-50567 | 7.7 HIGH | Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetcher to write outside the destin |
| CVE-2026-50565 | 4.9 MEDIUM | Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-suppl |
| CVE-2026-50569 | 4.3 MEDIUM | Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypass |
| CVE-2026-46617 | Fission runtime pods automount the fission-fetcher service-account token into the user fun | |
| CVE-2026-46618 | Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, |
IV. Related Vulnerabilities
Same product: fission
- CVE-2026-50570
Fission: Incomplete capability denylist in Environment/Funct - CVE-2026-50569
Fission: HTTPTrigger admission omits RelativeURL / Prefix va - CVE-2026-50567
Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetch - CVE-2026-50566
Fission: Environment Runtime.Container and Builder.Container - CVE-2026-50565
Fission builder pods auto-mount the fission-builder ServiceA
Same vendor: fission
- CVE-2026-50570
Fission: Incomplete capability denylist in Environment/Funct - CVE-2026-50569
Fission: HTTPTrigger admission omits RelativeURL / Prefix va - CVE-2026-50567
Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetch - CVE-2026-50566
Fission: Environment Runtime.Container and Builder.Container - CVE-2026-50565
Fission builder pods auto-mount the fission-builder ServiceA
Same weakness: CWE-41
V. Comments for CVE-2026-50568
No comments yet