PatchSiren cyber security CVE debrief
CVE-2026-50545 fission CVE debrief
CVE-2026-50545 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability has a CVSS score of 9.9 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-50545). The Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. This issue has been patched in version 1.24.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission prior to version 1.24.0 should update to the latest version to mitigate this vulnerability.
Technical summary
The vulnerability is caused by the lack of validation in the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough and the propagation of dangerous fields into the generated pods by MergePodSpec. This could allow an attacker to execute arbitrary code or escalate privileges.
Defensive priority
high
Recommended defensive actions
- Update to Fission version 1.24.0 or later.
- Review and validate podSpec configurations to prevent propagation of dangerous fields.
Evidence notes
The vulnerability is patched in version 1.24.0. References: [ref-6](https://github.com/fission/fission/releases/tag/v1.24.0), [ref-4](https://github.com/fission/fission/pull/3390), [ref-5](https://github.com/fission/fission/pull/3391), [ref-7](https://github.com/fission/fission/security/advisories/GHSA-wmgg-3p4h-48x7).
Official resources
CVE-2026-50545 was published on 2026-06-10T18:17:12.467Z and modified on 2026-06-10T19:37:41.437Z.