PatchSiren cyber security CVE debrief
CVE-2026-50569 fission CVE debrief
CVE-2026-50569 is a MEDIUM severity vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability allows an attacker to bypass URL-level checks when creating an HTTPTrigger via kubectl apply or a direct Kubernetes REST API call. This is due to the HTTPTriggerSpec.Validate() function not validating the RelativeURL and Prefix fields prior to version 1.25.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, an open-source, Kubernetes-native serverless framework, should be aware of this vulnerability if they are using versions prior to 1.25.0.
Technical summary
The HTTPTriggerSpec.Validate() function in Fission did not validate the RelativeURL and Prefix fields prior to version 1.25.0. This allowed an attacker to bypass URL-level checks when creating an HTTPTrigger via kubectl apply or a direct Kubernetes REST API call. The vulnerability has been patched in version 1.25.0.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Fission version 1.25.0 or later to patch the vulnerability.
- Use the official Fission release: [Fission v1.25.0](resourceLinkAnnotations:ref-5).
Evidence notes
The vulnerability was patched in version 1.25.0. For more information, see the [Fission release notes](resourceLinkAnnotations:ref-5) and the [CVE record](resourceLinkAnnotations:cve-org).
Official resources
CVE-2026-50569 was published on 2026-06-10T18:17:13.483Z and modified on 2026-06-10T19:37:41.437Z.