CVE-2026-50564 Fission CVE debrief

Who should care

Users of Fission, especially those who have not upgraded to version 1.24.0, should be aware of this vulnerability and take immediate action to mitigate potential risks.

Technical summary

The Environment CRD in Fission exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into Kubernetes pod specs for runtime and builder pods. Prior to version 1.24.0, the merge logic propagated sensitive fields such as hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName without filtering. Environment.Validate did not perform security-relevant checks on these fields, potentially allowing an attacker to escalate privileges.

Defensive priority

High

Recommended defensive actions

• Upgrade to Fission version 1.24.0 or later to apply the patch.
• Review and restrict user-supplied pod specs to prevent exploitation of sensitive fields.
• Implement additional security measures, such as network policies and role-based access control, to limit potential damage.

Evidence notes

The CVE-2026-50564 issue has a CVSS score of 9.9 and is classified as CRITICAL. The vulnerability was published on 2026-06-10T18:17:12.740Z and modified on 2026-06-10T19:37:41.437Z.

Official resources