CVE-2026-46618

UNKNOWN 0.0

Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0.

CWE	CWE-78 CWE-250 CWE-269
Vendor	fission
Product	fission
Published	Jun 10, 2026
Last Updated	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for fission fission

Be the first to know when new unknown vulnerabilities affecting fission fission are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

fission / fission

< 1.23.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/fission/fission/security/advisories/GHSA-7pjr-qpvh-m339 github.com: https://github.com/fission/fission/pull/3364 github.com: https://github.com/fission/fission/releases/tag/v1.23.0