Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-gx55-f84r-v3r7: Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape

0
Critical
Published: 06/30/2026 (06/30/2026, 18:19:32 UTC)
Source: GCVE Database
Product: github.com/fission/fission

Description

Fission's Environment Custom Resource Definition (CRD) allowed users with create/update permissions to specify pod specifications that could enable privileged pods with host network, host PID, and other sensitive capabilities. This flaw enabled potential node escape and full node compromise. The vulnerability was fixed in Fission version 1.24.0 by adding admission denylist checks and sanitizing pod specs during merge. Prior to this fix, Kubernetes Pod Security Admission did not prevent these privileged pod creations due to missing enforcement labels on relevant namespaces.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected software

Goghsa
github.com/fission/fission
Affected versions
<1.24.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:51:03 UTC

Technical Analysis

The Fission Environment CRD exposed spec.runtime.podSpec and spec.builder.podSpec fields that were merged directly into Kubernetes pod specs without filtering critical security-related fields such as hostNetwork, hostPID, hostIPC, privileged containers, and serviceAccountName. This allowed a namespace user with create/update permissions on environments.fission.io to create pods with elevated privileges, enabling host filesystem and network access, and potential node compromise. The vulnerability was addressed in pull request #3391 and released in Fission v1.24.0 by implementing an admission denylist that blocks these fields and sanitizing pod specs during merge. The fix also extended webhook validation to cover update operations, closing bypass avenues.

Potential Impact

An attacker with create/update permissions on the Fission Environment CRD could deploy pods with host network, host PID, and privileged container settings, enabling them to escape container isolation and compromise the Kubernetes node. This includes access to the host filesystem, network, container runtime socket, and cloud metadata credentials, potentially leading to full node compromise and cluster-wide takeover.

Mitigation Recommendations

A fix is available in Fission version 1.24.0. This update implements an admission denylist that rejects Environment CRD pod specs containing hostNetwork, hostPID, hostIPC, privileged containers, and other dangerous settings. It also sanitizes these fields during pod spec merging to prevent bypass. Users should upgrade to v1.24.0 or later to mitigate this vulnerability. Prior to upgrading, restricting create/update RBAC permissions on environments.fission.io can reduce risk.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-gx55-f84r-v3r7
Osv Schema Version
1.4.0
Aliases
["CVE-2026-50564"]
Ecosystems
["Go"]
Database Specific Severity
CRITICAL
Cvss Version
3.1

Threat ID: 6a4452e827e9c797198e1934

Added to database: 06/30/2026, 23:36:08 UTC

Last enriched: 06/30/2026, 23:51:03 UTC

Last updated: 07/01/2026, 04:31:10 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses