GHSA-M63V-2G9W-2W6V
Vulnerability from github – Published: 2026-06-30 18:20 – Updated: 2026-06-30 18:20Summary
A follow-up bypass of the round-4 PodSpec hardening (GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92). Those advisories validate and sanitize the PodSpec (spec.runtime.podSpec / spec.builder.podSpec /
function.spec.podSpec), but the Environment CRD also exposes spec.runtime.container and spec.builder.container — a standalone Container merged into the runtime/builder pod whose SecurityContext bypassed both layers.
Details
Admission-layer gap. Environment.Validate() calls ValidatePodSpecSafety() on Runtime.PodSpec and Builder.PodSpec only. That function takes a *PodSpec, so it never inspects the standalone Runtime.Container.SecurityContext
or Builder.Container.SecurityContext.
Merge-layer gap. sanitizeContainerSecurityContext() ran only inside MergePodSpec(). The container field is merged via MergeContainer(), which did not sanitize. With only Runtime.Container set and Runtime.PodSpec nil,
MergePodSpec is never invoked, so the sanitizer never ran.
Affected merge sites: poolmgr (gp_deployment.go), newdeploy (newdeploy.go), and buildermgr (envwatcher.go).
Proof of concept
apiVersion: fission.io/v1
kind: Environment
metadata:
name: priv-escape-test
namespace: default
spec:
version: 3
runtime:
image: "ghcr.io/fission/python-env:latest"
container:
name: priv-escape-test
securityContext:
privileged: true
poolsize: 1
The admission webhook accepts this Environment and the resulting pool pod runs with privileged: true. Equivalent bypasses: allowPrivilegeEscalation: true, capabilities.add: ["SYS_ADMIN"], capabilities.add:
["NET_ADMIN","SYS_PTRACE"]. The same attack applies to Builder.Container.
Impact
A tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege
service account — enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. Identical blast radius to GHSA-gx55-f84r-v3r7.
Fix
Fixed in #3406 and released in v1.24.0.
- Admission layer (primary defence): a new
ValidateContainerSafetyinpkg/apis/core/v1/podspec_safety.goapplies the per-container SecurityContext denylist (privileged,allowPrivilegeEscalation, dangerous capabilities) to a standalone container, and is called fromEnvironment.Validate()forRuntime.ContainerandBuilder.Container. - Merge layer (defence in depth):
sanitizeContainerSecurityContext()is now invoked insideMergeContainer()itself, covering all three executor/builder call sites.
Workarounds
- Restrict Environment create/update RBAC to trusted administrators.
- Deploy a Kyverno / OPA Gatekeeper policy rejecting dangerous Container SecurityContext on Environment CRDs.
- Label the function/builder namespaces with
pod-security.kubernetes.io/enforce: restricted.
References
- GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92 — the round-4 PodSpec fixes this advisory bypasses (#3391,
e484df84).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50566"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:20:39Z",
"nvd_published_at": "2026-06-10T18:17:13Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nA follow-up bypass of the round-4 PodSpec hardening (GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92). Those advisories validate and sanitize the `PodSpec` (`spec.runtime.podSpec` / `spec.builder.podSpec` /\n`function.spec.podSpec`), but the Environment CRD also exposes `spec.runtime.container` and `spec.builder.container` \u2014 a standalone `Container` merged into the runtime/builder pod whose `SecurityContext` bypassed both layers.\n\n### Details\n\n**Admission-layer gap.** `Environment.Validate()` calls `ValidatePodSpecSafety()` on `Runtime.PodSpec` and `Builder.PodSpec` only. That function takes a `*PodSpec`, so it never inspects the standalone `Runtime.Container.SecurityContext`\nor `Builder.Container.SecurityContext`.\n\n**Merge-layer gap.** `sanitizeContainerSecurityContext()` ran only inside `MergePodSpec()`. The container field is merged via `MergeContainer()`, which did not sanitize. With only `Runtime.Container` set and `Runtime.PodSpec` nil,\n`MergePodSpec` is never invoked, so the sanitizer never ran.\n\nAffected merge sites: poolmgr (`gp_deployment.go`), newdeploy (`newdeploy.go`), and buildermgr (`envwatcher.go`).\n\n#### Proof of concept\n\n```yaml\napiVersion: fission.io/v1\nkind: Environment\nmetadata:\n name: priv-escape-test\n namespace: default\nspec:\n version: 3\n runtime:\n image: \"ghcr.io/fission/python-env:latest\"\n container:\n name: priv-escape-test\n securityContext:\n privileged: true\n poolsize: 1\n```\n\nThe admission webhook accepts this Environment and the resulting pool pod runs with `privileged: true`. Equivalent bypasses: `allowPrivilegeEscalation: true`, `capabilities.add: [\"SYS_ADMIN\"]`, `capabilities.add:\n[\"NET_ADMIN\",\"SYS_PTRACE\"]`. The same attack applies to `Builder.Container`.\n\n### Impact\n\nA tenant with `environments.fission.io` create/update RBAC can run `privileged` / `allowPrivilegeEscalation` / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor\u0027s high-privilege\nservice account \u2014 enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. Identical blast radius to GHSA-gx55-f84r-v3r7.\n\n### Fix\n\nFixed in [#3406](https://github.com/fission/fission/pull/3406) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).\n\n- **Admission layer (primary defence):** a new `ValidateContainerSafety` in `pkg/apis/core/v1/podspec_safety.go` applies the per-container SecurityContext denylist (`privileged`, `allowPrivilegeEscalation`, dangerous capabilities) to a\nstandalone container, and is called from `Environment.Validate()` for `Runtime.Container` and `Builder.Container`.\n- **Merge layer (defence in depth):** `sanitizeContainerSecurityContext()` is now invoked inside `MergeContainer()` itself, covering all three executor/builder call sites.\n\n### Workarounds\n\n- Restrict Environment create/update RBAC to trusted administrators.\n- Deploy a Kyverno / OPA Gatekeeper policy rejecting dangerous Container SecurityContext on Environment CRDs.\n- Label the function/builder namespaces with `pod-security.kubernetes.io/enforce: restricted`.\n\n### References\n\n- GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92 \u2014 the round-4 PodSpec fixes this advisory bypasses ([#3391](https://github.com/fission/fission/pull/3391), `e484df84`).",
"id": "GHSA-m63v-2g9w-2w6v",
"modified": "2026-06-30T18:20:39Z",
"published": "2026-06-30T18:20:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-m63v-2g9w-2w6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50566"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3406"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/695d3e97e3a20463ab7c8c081843e69e65e952e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.