CVE Catalog

CVE-2026-50566

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

11th percentile — higher than 11% of all known CVEs

Summary

Fission is a serverless framework, native to Kubernetes, that simplifies the deployment of functions and applications. In versions prior to 1.24.0, a user with appropriate RBAC permissions could run privileged containers, leading to container-sandbox escape and access to the host's filesystem and network.

Risk Assessment

The risk to the organization involves the potential for node or cluster takeover, which could lead to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to version 1.24.0 or later to mitigate this vulnerability and secure the environment against potential attacks.

Original NVD description (English source)

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege service account — enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. This issue has been patched in version 1.24.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS