Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-50570— Fission: Incomplete capability denylist in Environment/Function PodSpec validation allows tenant-added CAP_SYS_TIME and cross-tenant node wall-clock corruption

CVSS 8.5 · High EPSS 0.27% · P19

Affected Version Matrix 1

VendorProductVersion RangeStatus
fissionfission< 1.25.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50570

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Fission: Incomplete capability denylist in Environment/Function PodSpec validation allows tenant-added CAP_SYS_TIME and cross-tenant node wall-clock corruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fission 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fission是Fission开源的一个基于Kubernetes的函数部署框架。 Fission 1.25.0之前版本存在安全漏洞,该漏洞源于PodSpec安全验证中能力检查的黑名单遗漏了CAP_SYS_TIME,导致租户可以请求该能力并运行攻击者控制的代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
fissionfission < 1.25.0 -

II. Public POCs for CVE-2026-50570

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8586 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-50570

登录查看更多情报信息。

Patches & Fixes for CVE-2026-50570 (1)

Vendor Advisories for CVE-2026-50570 (1)

Same Patch Batch · fission · 2026-06-10 · 17 CVEs total

CVE-2026-505639.9 CRITICALFission Container Executor Function PodSpec Injection Leading to Node Escape
CVE-2026-505669.9 CRITICALFission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows
CVE-2026-505459.9 CRITICALFission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover
CVE-2026-505649.9 CRITICALFission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, n
CVE-2026-466149.8 CRITICALFission router exposes /fission-function/<ns>/<name> on its public listener, allowing invo
CVE-2026-466128.8 HIGHFission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function arc
CVE-2026-498248.5 HIGHFission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function
CVE-2026-498237.7 HIGHFission: Cross-namespace Package read via unvalidated PackageRef in Function admission web
CVE-2026-498227.7 HIGHFission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant
CVE-2026-498217.7 HIGHFission: Cross-namespace Environment reference in Package allows build-time command execut
CVE-2026-505677.7 HIGHFission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetcher to write outside the destin
CVE-2026-505654.9 MEDIUMFission builder pods auto-mount the fission-builder ServiceAccount token in the user-suppl
CVE-2026-505694.3 MEDIUMFission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypass
CVE-2026-505683.6 LOWFission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape
CVE-2026-46617Fission runtime pods automount the fission-fetcher service-account token into the user fun
CVE-2026-46618Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command,

IV. Related Vulnerabilities

Same product: fission
Same vendor: fission
Same weakness: CWE-269

V. Comments for CVE-2026-50570

No comments yet

Leave a comment