CVE-2026-50569

Source
https://cve.org/CVERecord?id=CVE-2026-50569
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50569.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50569
Aliases
  • GHSA-vchh-r53j-8mpw
Published
2026-06-10T17:34:00.302Z
Modified
2026-07-08T08:13:45.917898322Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypasses CLI checks
Details

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL — and CEL had no rules on those fields either — so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50569.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/fission/fission

Affected ranges

Type
GIT
Repo
https://github.com/fission/fission
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.25.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.10.0
0.3.0
0.3.0-rc
0.4.0
0.4.0rc
0.4.1
0.6.0
0.6.1
0.7.2
1.*
1.0-rc1
1.13.0
1.13.1
1.14.0
1.14.1
1.3.0
1.6.0
1.7.0
1.7.0-rc.1
1.7.0-rc.2
1.7.1
1.8.0
Other
alpha20170124
kubecon
latest
nightly20170621
nightly20170705
v0.*
v0.2.0-20170901
v0.2.1
v1.*
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.15.0
v1.15.0-rc1
v1.15.0-rc2
v1.15.1
v1.16.0
v1.16.0-rc1
v1.16.0-rc2
v1.17.0
v1.17.0-rc1
v1.17.0-rc2
v1.18.0
v1.18.0-rc1
v1.18.0-rc2
v1.19.0
v1.19.0-rc1
v1.19.0-rc2
v1.20.0
v1.20.0-rc1
v1.20.0-rc2
v1.20.1
v1.20.2
v1.20.3
v1.20.4
v1.20.5
v1.21.0
v1.21.0-rc1
v1.21.0-rc2
v1.22.0
v1.22.0-rc1
v1.22.0-rc2
v1.23.0
v1.23.0-rc1
v1.24.0
v1.6.0
v1.7.0
v1.7.0-rc.1
v1.7.0-rc.2
v1.7.1
v1.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50569.json"