PatchSiren cyber security CVE debrief
CVE-2026-50568 fission CVE debrief
CVE-2026-50568 is a path traversal vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability allows a tenant to induce a write or read outside the intended safe directory. This issue was patched in version 1.25.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- LOW 3.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, especially those who use shared volumes, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The SanitizeFilePath function in pkg/utils/utils.go did not properly validate file paths, allowing a tenant to create or control a sibling directory under the fetcher/builder's shared volume. This could lead to writes or reads outside the intended safe directory.
Defensive priority
LOW
Recommended defensive actions
- Upgrade to Fission version 1.25.0 or later.
- Review and restrict access to shared volumes.
- Monitor for suspicious activity.
Evidence notes
The vulnerability was patched in version 1.25.0. References: [ref-6](https://github.com/fission/fission/releases/tag/v1.25.0), [ref-4](https://github.com/fission/fission/pull/3445), [ref-5](https://github.com/fission/fission/pull/3446), [ref-7](https://github.com/fission/fission/security/advisories/GHSA-r5jh-q2mw-gcx4).
Official resources
CVE-2026-50568 was published on [cvePublishedAt].