Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-m63v-2g9w-2w6v: Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation

0
Critical
Published: 06/30/2026 (06/30/2026, 18:20:39 UTC)
Source: GCVE Database
Product: github.com/fission/fission

Description

A security vulnerability in Fission's Environment CRD allows bypassing PodSpec hardening controls by exploiting the standalone Runtime.Container and Builder.Container SecurityContext fields. This flaw permits creation of privileged pods or containers with dangerous capabilities, potentially enabling container escape and cluster compromise. The issue arises because validation and sanitization functions do not cover these standalone container fields, allowing attackers with Environment create/update RBAC to escalate privileges. The vulnerability is fixed in Fission version 1.24.0.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected software

Goghsa
github.com/fission/fission
Affected versions
<1.24.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:50:43 UTC

Technical Analysis

This vulnerability (CVE-2026-50566) in github.com/fission/fission involves a bypass of PodSpec security hardening due to incomplete validation and sanitization of the Environment CRD's standalone Runtime.Container and Builder.Container SecurityContext fields. The admission webhook validates only Runtime.PodSpec and Builder.PodSpec, ignoring these standalone container fields, which are merged without sanitization. This allows an attacker with appropriate RBAC to create privileged pods or containers with elevated capabilities such as privileged mode, allowPrivilegeEscalation, or SYS_ADMIN capabilities. The flaw affects multiple merge sites and results in pods running with elevated privileges under the executor's high-privilege service account, risking container escape and cluster compromise. The issue is fixed in pull request #3406 and released in version 1.24.0.

Potential Impact

An attacker with create/update permissions on the Environment CRD can deploy pods or containers with privileged SecurityContext settings, including privileged mode, allowPrivilegeEscalation, and dangerous Linux capabilities. These pods run under a high-privilege executor service account, enabling potential container escape, host filesystem and network access, and full node or cluster compromise. The blast radius is equivalent to prior PodSpec hardening bypasses addressed in earlier advisories.

Mitigation Recommendations

A fix is available in Fission version 1.24.0, which adds validation for standalone container SecurityContext fields and sanitizes them during merging. Until upgrading, restrict Environment create/update RBAC permissions to trusted administrators only. Additionally, deploy admission policies (e.g., Kyverno or OPA Gatekeeper) to reject dangerous SecurityContext settings on Environment CRDs, or enforce Kubernetes Pod Security Standards with labels such as pod-security.kubernetes.io/enforce: restricted on function and builder namespaces.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-m63v-2g9w-2w6v
Osv Schema Version
1.4.0
Aliases
["CVE-2026-50566"]
Ecosystems
["Go"]
Database Specific Severity
CRITICAL
Cvss Version
3.1

Threat ID: 6a4452e827e9c797198e1921

Added to database: 06/30/2026, 23:36:08 UTC

Last enriched: 06/30/2026, 23:50:43 UTC

Last updated: 07/01/2026, 03:31:49 UTC

Views: 16

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses