CVE-2026-50569 Overview
CVE-2026-50569 is an input validation flaw [CWE-20] in Fission, an open-source Kubernetes-native serverless framework. Versions prior to 1.25.0 fail to validate the RelativeURL and Prefix fields of HTTPTriggerSpec at the API server layer. The HTTPTriggerSpec.Validate() function checks Methods, FunctionReference, Host, IngressConfig, and CorsConfig but silently skips URL fields. Validation exists only in the CLI at pkg/fission-cli/cmd/httptrigger/create.go:83. Authenticated users who create HTTPTriggers via kubectl apply or direct Kubernetes REST API calls bypass all URL-level checks. The issue is patched in version 1.25.0.
Critical Impact
Authenticated Kubernetes users can create Fission HTTPTriggers with malformed RelativeURL or Prefix values, bypassing server-side validation and impacting routing integrity.
Affected Products
- Fission serverless framework versions prior to 1.25.0
- Kubernetes clusters running Fission with HTTPTrigger CRDs
- Deployments relying on API-server CEL validation for HTTPTrigger inputs
Discovery Timeline
- 2026-06-10 - CVE-2026-50569 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-50569
Vulnerability Analysis
The vulnerability resides in Fission's HTTPTrigger validation pipeline. The server-side HTTPTriggerSpec.Validate() function performs checks on multiple fields but omits validation for RelativeURL and Prefix. These two URL-routing fields define how incoming HTTP requests map to backend Fission functions.
Fission previously relied on a CRD admission webhook to enforce HTTPTrigger validation. After post-CRD modernization, the project replaced the webhook with Common Expression Language (CEL) rules at the Kubernetes API server. The migration did not port any rules covering RelativeURL or Prefix, leaving both fields unchecked at every server-side boundary.
The Fission command-line interface enforces URL validation at pkg/fission-cli/cmd/httptrigger/create.go:83. However, this check executes only when users create triggers through the official CLI. Requests submitted through kubectl apply or any direct call to the Kubernetes REST API bypass the CLI entirely. The CVSS vector indicates an authenticated, network-accessible flaw with limited integrity impact.
Root Cause
The root cause is incomplete migration of validation logic. Field-level checks that previously ran in the admission webhook were not reimplemented in CEL after CRD modernization. The Validate() function silently returns success for RelativeURL and Prefix instead of rejecting unsupported values. Defense-in-depth was broken because client-side and server-side validation no longer cover the same field set.
Attack Vector
An authenticated user with permission to create HTTPTrigger custom resources submits a manifest with crafted RelativeURL or Prefix values directly to the Kubernetes API. The API server accepts the resource, and Fission's router consumes the unvalidated configuration. The attack does not require elevated cluster privileges beyond standard HTTPTrigger create rights. See the GitHub Security Advisory GHSA-vchh-r53j-8mpw for additional context.
Detection Methods for CVE-2026-50569
Indicators of Compromise
- HTTPTrigger custom resources containing RelativeURL or Prefix values that do not conform to expected URL syntax
- Audit log entries showing HTTPTrigger creation via kubectl apply or REST API calls that bypass the Fission CLI
- Unexpected routing behavior or 404 responses in the Fission router for routes that appear valid in the CRD
Detection Strategies
- Inspect existing HTTPTrigger objects in the cluster and compare RelativeURL and Prefix fields against the validation logic in pkg/fission-cli/cmd/httptrigger/create.go:83
- Enable Kubernetes audit logging for the fission.io/v1 API group and alert on HTTPTrigger create or update events not originating from the Fission CLI user agent
- Run Fission's installed version check and flag any cluster running a release earlier than 1.25.0
Monitoring Recommendations
- Forward Kubernetes API server audit logs to a centralized analytics platform for continuous review of HTTPTrigger mutations
- Track Fission router error rates and correlate spikes with recent HTTPTrigger create or update events
- Add policy checks in admission controllers such as Kyverno or OPA Gatekeeper to validate RelativeURL and Prefix formats independently
How to Mitigate CVE-2026-50569
Immediate Actions Required
- Upgrade Fission to version 1.25.0 or later, which restores server-side validation for RelativeURL and Prefix
- Audit all existing HTTPTrigger resources and remove or correct entries with malformed URL fields
- Restrict create and update permissions on HTTPTrigger CRDs to trusted service accounts and users via Kubernetes RBAC
Patch Information
The Fission maintainers fixed the issue in Fission release v1.25.0. The corresponding code change is in GitHub Pull Request #3464, which adds the missing validation for RelativeURL and Prefix to HTTPTriggerSpec.Validate().
Workarounds
- Deploy an admission policy in Kyverno or OPA Gatekeeper that enforces URL syntax rules on HTTPTrigger RelativeURL and Prefix fields
- Limit HTTPTrigger creation to the Fission CLI by removing direct CRD write permissions for non-administrative roles
- Implement a CI pipeline check that lints Fission manifests against expected URL formats before applying them to the cluster
# Configuration example: upgrade Fission via Helm
helm repo update
helm upgrade --install fission fission-charts/fission-all \
--namespace fission \
--version 1.25.0
# Verify the running version
kubectl -n fission get deploy -o jsonpath='{.items[*].spec.template.spec.containers[*].image}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
