PatchSiren cyber security CVE debrief
CVE-2026-50570 Fission CVE debrief
CVE-2026-50570 is a high-severity vulnerability in Fission, a Kubernetes-native serverless framework. The issue allows tenants to bypass security checks and run attacker-controlled code with elevated Linux capabilities. Fission versions prior to 1.25.0 are affected.
- Vendor
- Fission
- Product
- Fission
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, a Kubernetes-native serverless framework, should be aware of this vulnerability. Specifically, tenants who can create Function or Environment CRDs are at risk.
Technical summary
Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs, but the capability check was implemented as a fixed denylist of six Linux capabilities. The denylist omitted CAP_SYS_TIME, among others. This allows a tenant to request securityContext.capabilities.add: [SYS_TIME], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fission version 1.25.0 or later.
- Review and restrict the use of Linux capabilities in Fission Environment and Function CRDs.
Evidence notes
The CVE-2026-50570 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-50570). Additional details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-50570).
Official resources
CVE-2026-50570 was published on 2026-06-10T18:17:13.623Z and modified on 2026-06-10T19:37:41.437Z.