PatchSiren cyber security CVE debrief
CVE-2026-50563 fission CVE debrief
CVE-2026-50563 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The issue allows a tenant to supply Function.spec.podspec directly, which is then merged into the executor-built podspec and used to create a Deployment. This could potentially allow an attacker to execute arbitrary code in the user's container image. The vulnerability has been patched in version 1.24.0 of Fission.
- Vendor
- fission
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, an open-source, Kubernetes-native serverless framework, should be aware of this vulnerability if they are using a version prior to 1.24.0.
Technical summary
The Container Executor path in Fission allows a tenant to supply Function.spec.podspec directly. The executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. This could potentially allow an attacker to execute arbitrary code in the user's container image.
Defensive priority
High
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later.
- Review and restrict the supply of Function.spec.podspec to prevent arbitrary code execution.
Evidence notes
The vulnerability has a CVSS score of 9.9 and is considered CRITICAL.
Official resources
CVE-2026-50563 was published on 2026-06-10T18:17:12.607Z and modified on 2026-06-10T19:37:41.437Z.