GHSA-m63v-2g9w-2w6v: Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
A security vulnerability in Fission's Environment CRD allows bypassing PodSpec hardening controls by exploiting the standalone Runtime.Container and Builder.Container SecurityContext fields. This flaw permits creation of privileged pods or containers with dangerous capabilities, potentially enabling container escape and cluster compromise. The issue arises because validation and sanitization functions do not cover these standalone container fields, allowing attackers with Environment create/update RBAC to escalate privileges. The vulnerability is fixed in Fission version 1.24.0.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-50566) in github.com/fission/fission involves a bypass of PodSpec security hardening due to incomplete validation and sanitization of the Environment CRD's standalone Runtime.Container and Builder.Container SecurityContext fields. The admission webhook validates only Runtime.PodSpec and Builder.PodSpec, ignoring these standalone container fields, which are merged without sanitization. This allows an attacker with appropriate RBAC to create privileged pods or containers with elevated capabilities such as privileged mode, allowPrivilegeEscalation, or SYS_ADMIN capabilities. The flaw affects multiple merge sites and results in pods running with elevated privileges under the executor's high-privilege service account, risking container escape and cluster compromise. The issue is fixed in pull request #3406 and released in version 1.24.0.
Potential Impact
An attacker with create/update permissions on the Environment CRD can deploy pods or containers with privileged SecurityContext settings, including privileged mode, allowPrivilegeEscalation, and dangerous Linux capabilities. These pods run under a high-privilege executor service account, enabling potential container escape, host filesystem and network access, and full node or cluster compromise. The blast radius is equivalent to prior PodSpec hardening bypasses addressed in earlier advisories.
Mitigation Recommendations
A fix is available in Fission version 1.24.0, which adds validation for standalone container SecurityContext fields and sanitizes them during merging. Until upgrading, restrict Environment create/update RBAC permissions to trusted administrators only. Additionally, deploy admission policies (e.g., Kyverno or OPA Gatekeeper) to reject dangerous SecurityContext settings on Environment CRDs, or enforce Kubernetes Pod Security Standards with labels such as pod-security.kubernetes.io/enforce: restricted on function and builder namespaces.
GHSA-m63v-2g9w-2w6v: Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation
Description
A security vulnerability in Fission's Environment CRD allows bypassing PodSpec hardening controls by exploiting the standalone Runtime.Container and Builder.Container SecurityContext fields. This flaw permits creation of privileged pods or containers with dangerous capabilities, potentially enabling container escape and cluster compromise. The issue arises because validation and sanitization functions do not cover these standalone container fields, allowing attackers with Environment create/update RBAC to escalate privileges. The vulnerability is fixed in Fission version 1.24.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-50566) in github.com/fission/fission involves a bypass of PodSpec security hardening due to incomplete validation and sanitization of the Environment CRD's standalone Runtime.Container and Builder.Container SecurityContext fields. The admission webhook validates only Runtime.PodSpec and Builder.PodSpec, ignoring these standalone container fields, which are merged without sanitization. This allows an attacker with appropriate RBAC to create privileged pods or containers with elevated capabilities such as privileged mode, allowPrivilegeEscalation, or SYS_ADMIN capabilities. The flaw affects multiple merge sites and results in pods running with elevated privileges under the executor's high-privilege service account, risking container escape and cluster compromise. The issue is fixed in pull request #3406 and released in version 1.24.0.
Potential Impact
An attacker with create/update permissions on the Environment CRD can deploy pods or containers with privileged SecurityContext settings, including privileged mode, allowPrivilegeEscalation, and dangerous Linux capabilities. These pods run under a high-privilege executor service account, enabling potential container escape, host filesystem and network access, and full node or cluster compromise. The blast radius is equivalent to prior PodSpec hardening bypasses addressed in earlier advisories.
Mitigation Recommendations
A fix is available in Fission version 1.24.0, which adds validation for standalone container SecurityContext fields and sanitizes them during merging. Until upgrading, restrict Environment create/update RBAC permissions to trusted administrators only. Additionally, deploy admission policies (e.g., Kyverno or OPA Gatekeeper) to reject dangerous SecurityContext settings on Environment CRDs, or enforce Kubernetes Pod Security Standards with labels such as pod-security.kubernetes.io/enforce: restricted on function and builder namespaces.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-m63v-2g9w-2w6v
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-50566"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a4452e827e9c797198e1921
Added to database: 06/30/2026, 23:36:08 UTC
Last enriched: 06/30/2026, 23:50:43 UTC
Last updated: 07/01/2026, 03:31:49 UTC
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.