PatchSiren cyber security CVE debrief
CVE-2026-46618 fission CVE debrief
CVE-2026-46618 is a security vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.23.0, the `pkg/builder/builder.go` file passed `Environment.spec.builder.command` directly into `exec.Command(...)` after a `strings.Fields` split, without validating the executable path or its arguments. This allows a user who can create or update Environment CRDs in a namespace observed by the `buildermgr` to execute arbitrary code in the builder pod context by pointing the builder pod at any executable inside the builder image. The issue has been patched in version 1.23.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission prior to version 1.23.0 who create or update Environment CRDs in namespaces observed by the builder manager should be aware of this vulnerability.
Technical summary
The vulnerability arises from the lack of validation of executable paths and arguments in `pkg/builder/builder.go`. Specifically, the code passes `Environment.spec.builder.command` directly to `exec.Command(...)` after splitting it using `strings.Fields`, without ensuring the command is safe to execute. This allows an attacker to potentially execute arbitrary code within the builder pod by manipulating the `Environment.spec.builder.command` field.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to Fission version 1.23.0 or later to apply the patch.
- Restrict access to create or update Environment CRDs in namespaces observed by the builder manager.
- Monitor builder pod activity for suspicious commands.
Evidence notes
The CVE has a CVSS score of 6.9 and is classified as MEDIUM severity. The vulnerability was patched in version 1.23.0 of Fission.
Official resources
CVE-2026-46618 was published on 2026-06-10T18:17:05.863Z and modified on 2026-06-10T19:37:41.437Z.