CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5430 vulnerabilities reference this CWE, most recent first.
GHSA-M54Q-J96W-RCMW
Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-17 00:01In getAvailabilityStatus of PrivateDnsPreferenceController.java, there is a possible way for a guest user to change private DNS settings due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-206987762
{
"affected": [],
"aliases": [
"CVE-2022-20112"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "In getAvailabilityStatus of PrivateDnsPreferenceController.java, there is a possible way for a guest user to change private DNS settings due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-206987762",
"id": "GHSA-m54q-j96w-rcmw",
"modified": "2022-05-17T00:01:22Z",
"published": "2022-05-11T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20112"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5FW-XGHJ-6827
Vulnerability from github – Published: 2022-07-23 00:00 – Updated: 2022-07-30 00:00Multiple vulnerabilities in Cisco Nexus Dashboard could allow an authenticated, local attacker to elevate privileges on an affected device. These vulnerabilities are due to insufficient input validation during CLI command execution on an affected device. An attacker could exploit these vulnerabilities by authenticating as the rescue-user and executing vulnerable CLI commands using a malicious payload. A successful exploit could allow the attacker to elevate privileges to root on an affected device.
{
"affected": [],
"aliases": [
"CVE-2022-20907"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-22T04:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in Cisco Nexus Dashboard could allow an authenticated, local attacker to elevate privileges on an affected device. These vulnerabilities are due to insufficient input validation during CLI command execution on an affected device. An attacker could exploit these vulnerabilities by authenticating as the rescue-user and executing vulnerable CLI commands using a malicious payload. A successful exploit could allow the attacker to elevate privileges to root on an affected device.",
"id": "GHSA-m5fw-xghj-6827",
"modified": "2022-07-30T00:00:41Z",
"published": "2022-07-23T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20907"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-mprvesc-EMhDgXe5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5G6-5M87-6CRM
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-0692"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T22:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka \u0027Microsoft Exchange Server Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-m5g6-5m87-6crm",
"modified": "2022-05-24T17:08:27Z",
"published": "2022-05-24T17:08:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0692"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0692"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M5QM-MH2P-V9H5
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-35774, CVE-2022-35775, CVE-2022-35781, CVE-2022-35782, CVE-2022-35783, CVE-2022-35784, CVE-2022-35785, CVE-2022-35786, CVE-2022-35787, CVE-2022-35788, CVE-2022-35789, CVE-2022-35790, CVE-2022-35791, CVE-2022-35799, CVE-2022-35800, CVE-2022-35801, CVE-2022-35802, CVE-2022-35807, CVE-2022-35808, CVE-2022-35809, CVE-2022-35810, CVE-2022-35811, CVE-2022-35812, CVE-2022-35813, CVE-2022-35814, CVE-2022-35815, CVE-2022-35816, CVE-2022-35817, CVE-2022-35818, CVE-2022-35819.
{
"affected": [],
"aliases": [
"CVE-2022-35780"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-35774, CVE-2022-35775, CVE-2022-35781, CVE-2022-35782, CVE-2022-35783, CVE-2022-35784, CVE-2022-35785, CVE-2022-35786, CVE-2022-35787, CVE-2022-35788, CVE-2022-35789, CVE-2022-35790, CVE-2022-35791, CVE-2022-35799, CVE-2022-35800, CVE-2022-35801, CVE-2022-35802, CVE-2022-35807, CVE-2022-35808, CVE-2022-35809, CVE-2022-35810, CVE-2022-35811, CVE-2022-35812, CVE-2022-35813, CVE-2022-35814, CVE-2022-35815, CVE-2022-35816, CVE-2022-35817, CVE-2022-35818, CVE-2022-35819.",
"id": "GHSA-m5qm-mh2p-v9h5",
"modified": "2022-08-10T00:00:17Z",
"published": "2022-08-10T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35780"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35780"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-35780"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5RX-4969-HH6C
Vulnerability from github – Published: 2022-01-04 00:00 – Updated: 2022-07-13 00:01There is a Configuration defects in Smartphone.Successful exploitation of this vulnerability may elevate the MEID (IMEI) permission.
{
"affected": [],
"aliases": [
"CVE-2021-37121"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-03T22:15:00Z",
"severity": "CRITICAL"
},
"details": "There is a Configuration defects in Smartphone.Successful exploitation of this vulnerability may elevate the MEID (IMEI) permission.",
"id": "GHSA-m5rx-4969-hh6c",
"modified": "2022-07-13T00:01:33Z",
"published": "2022-01-04T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37121"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5W7-XJG9-FVCR
Vulnerability from github – Published: 2026-03-05 03:31 – Updated: 2026-03-11 21:30International Data Casting (IDC) SFX2100 satellite receiver comes with the /bin/date utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system. This allows an actor to be able to read any root read-only files, such as the /etc/shadow file or other configuration/secrets carrier files.
{
"affected": [],
"aliases": [
"CVE-2026-29122"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T02:16:51Z",
"severity": "HIGH"
},
"details": "International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date`\u00a0utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system. This allows an actor to be able to read any root read-only files, such as the /etc/shadow file or other configuration/secrets carrier files.",
"id": "GHSA-m5w7-xjg9-fvcr",
"modified": "2026-03-11T21:30:58Z",
"published": "2026-03-05T03:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29122"
},
{
"type": "WEB",
"url": "https://gtfobins.org/gtfobins/date"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/spfx-vulnrabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M5WP-346P-H7X3
Vulnerability from github – Published: 2025-03-04 18:33 – Updated: 2025-03-04 18:33A privilege escalation vulnerability in PocketBook InkPad Color 3 allows attackers to escalate to root privileges if they gain physical access to the device. This issue affects InkPad Color 3 in version U743k3.6.8.3671.
{
"affected": [],
"aliases": [
"CVE-2025-1424"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T16:15:36Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability in PocketBook InkPad Color 3 allows attackers to escalate to root privileges if they gain physical access to the device.\nThis issue affects InkPad Color 3 in version U743k3.6.8.3671.",
"id": "GHSA-m5wp-346p-h7x3",
"modified": "2025-03-04T18:33:43Z",
"published": "2025-03-04T18:33:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1424"
},
{
"type": "WEB",
"url": "https://www.redguard.ch/blog/2025/03/04/security-advisory-pocketbook-inkpad-color-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M5X6-353V-HMG2
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2025-04-12 12:45The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.
{
"affected": [],
"aliases": [
"CVE-2014-9644"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-03-02T11:59:00Z",
"severity": "LOW"
},
"details": "The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421.",
"id": "GHSA-m5x6-353v-hmg2",
"modified": "2025-04-12T12:45:50Z",
"published": "2022-05-13T01:26:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9644"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/4943ba16bbc2db05115707b3ff7b4874e9e3c560"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1190546"
},
{
"type": "WEB",
"url": "https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=4943ba16bbc2db05115707b3ff7b4874e9e3c560"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4943ba16bbc2db05115707b3ff7b4874e9e3c560"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0068.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3170"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.5"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:057"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:058"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/01/24/4"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/72320"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2513-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2514-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2543-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2544-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2545-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2546-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M5X9-8X67-P4JM
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-25 00:00A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.
{
"affected": [],
"aliases": [
"CVE-2022-31594"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T19:15:00Z",
"severity": "HIGH"
},
"details": "A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.",
"id": "GHSA-m5x9-8x67-p4jm",
"modified": "2022-06-25T00:00:51Z",
"published": "2022-06-15T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31594"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3155571"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M63V-2G9W-2W6V
Vulnerability from github – Published: 2026-06-30 18:20 – Updated: 2026-06-30 18:20Summary
A follow-up bypass of the round-4 PodSpec hardening (GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92). Those advisories validate and sanitize the PodSpec (spec.runtime.podSpec / spec.builder.podSpec /
function.spec.podSpec), but the Environment CRD also exposes spec.runtime.container and spec.builder.container — a standalone Container merged into the runtime/builder pod whose SecurityContext bypassed both layers.
Details
Admission-layer gap. Environment.Validate() calls ValidatePodSpecSafety() on Runtime.PodSpec and Builder.PodSpec only. That function takes a *PodSpec, so it never inspects the standalone Runtime.Container.SecurityContext
or Builder.Container.SecurityContext.
Merge-layer gap. sanitizeContainerSecurityContext() ran only inside MergePodSpec(). The container field is merged via MergeContainer(), which did not sanitize. With only Runtime.Container set and Runtime.PodSpec nil,
MergePodSpec is never invoked, so the sanitizer never ran.
Affected merge sites: poolmgr (gp_deployment.go), newdeploy (newdeploy.go), and buildermgr (envwatcher.go).
Proof of concept
apiVersion: fission.io/v1
kind: Environment
metadata:
name: priv-escape-test
namespace: default
spec:
version: 3
runtime:
image: "ghcr.io/fission/python-env:latest"
container:
name: priv-escape-test
securityContext:
privileged: true
poolsize: 1
The admission webhook accepts this Environment and the resulting pool pod runs with privileged: true. Equivalent bypasses: allowPrivilegeEscalation: true, capabilities.add: ["SYS_ADMIN"], capabilities.add:
["NET_ADMIN","SYS_PTRACE"]. The same attack applies to Builder.Container.
Impact
A tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege
service account — enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. Identical blast radius to GHSA-gx55-f84r-v3r7.
Fix
Fixed in #3406 and released in v1.24.0.
- Admission layer (primary defence): a new
ValidateContainerSafetyinpkg/apis/core/v1/podspec_safety.goapplies the per-container SecurityContext denylist (privileged,allowPrivilegeEscalation, dangerous capabilities) to a standalone container, and is called fromEnvironment.Validate()forRuntime.ContainerandBuilder.Container. - Merge layer (defence in depth):
sanitizeContainerSecurityContext()is now invoked insideMergeContainer()itself, covering all three executor/builder call sites.
Workarounds
- Restrict Environment create/update RBAC to trusted administrators.
- Deploy a Kyverno / OPA Gatekeeper policy rejecting dangerous Container SecurityContext on Environment CRDs.
- Label the function/builder namespaces with
pod-security.kubernetes.io/enforce: restricted.
References
- GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92 — the round-4 PodSpec fixes this advisory bypasses (#3391,
e484df84).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50566"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:20:39Z",
"nvd_published_at": "2026-06-10T18:17:13Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nA follow-up bypass of the round-4 PodSpec hardening (GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92). Those advisories validate and sanitize the `PodSpec` (`spec.runtime.podSpec` / `spec.builder.podSpec` /\n`function.spec.podSpec`), but the Environment CRD also exposes `spec.runtime.container` and `spec.builder.container` \u2014 a standalone `Container` merged into the runtime/builder pod whose `SecurityContext` bypassed both layers.\n\n### Details\n\n**Admission-layer gap.** `Environment.Validate()` calls `ValidatePodSpecSafety()` on `Runtime.PodSpec` and `Builder.PodSpec` only. That function takes a `*PodSpec`, so it never inspects the standalone `Runtime.Container.SecurityContext`\nor `Builder.Container.SecurityContext`.\n\n**Merge-layer gap.** `sanitizeContainerSecurityContext()` ran only inside `MergePodSpec()`. The container field is merged via `MergeContainer()`, which did not sanitize. With only `Runtime.Container` set and `Runtime.PodSpec` nil,\n`MergePodSpec` is never invoked, so the sanitizer never ran.\n\nAffected merge sites: poolmgr (`gp_deployment.go`), newdeploy (`newdeploy.go`), and buildermgr (`envwatcher.go`).\n\n#### Proof of concept\n\n```yaml\napiVersion: fission.io/v1\nkind: Environment\nmetadata:\n name: priv-escape-test\n namespace: default\nspec:\n version: 3\n runtime:\n image: \"ghcr.io/fission/python-env:latest\"\n container:\n name: priv-escape-test\n securityContext:\n privileged: true\n poolsize: 1\n```\n\nThe admission webhook accepts this Environment and the resulting pool pod runs with `privileged: true`. Equivalent bypasses: `allowPrivilegeEscalation: true`, `capabilities.add: [\"SYS_ADMIN\"]`, `capabilities.add:\n[\"NET_ADMIN\",\"SYS_PTRACE\"]`. The same attack applies to `Builder.Container`.\n\n### Impact\n\nA tenant with `environments.fission.io` create/update RBAC can run `privileged` / `allowPrivilegeEscalation` / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor\u0027s high-privilege\nservice account \u2014 enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. Identical blast radius to GHSA-gx55-f84r-v3r7.\n\n### Fix\n\nFixed in [#3406](https://github.com/fission/fission/pull/3406) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).\n\n- **Admission layer (primary defence):** a new `ValidateContainerSafety` in `pkg/apis/core/v1/podspec_safety.go` applies the per-container SecurityContext denylist (`privileged`, `allowPrivilegeEscalation`, dangerous capabilities) to a\nstandalone container, and is called from `Environment.Validate()` for `Runtime.Container` and `Builder.Container`.\n- **Merge layer (defence in depth):** `sanitizeContainerSecurityContext()` is now invoked inside `MergeContainer()` itself, covering all three executor/builder call sites.\n\n### Workarounds\n\n- Restrict Environment create/update RBAC to trusted administrators.\n- Deploy a Kyverno / OPA Gatekeeper policy rejecting dangerous Container SecurityContext on Environment CRDs.\n- Label the function/builder namespaces with `pod-security.kubernetes.io/enforce: restricted`.\n\n### References\n\n- GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92 \u2014 the round-4 PodSpec fixes this advisory bypasses ([#3391](https://github.com/fission/fission/pull/3391), `e484df84`).",
"id": "GHSA-m63v-2g9w-2w6v",
"modified": "2026-06-30T18:20:39Z",
"published": "2026-06-30T18:20:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-m63v-2g9w-2w6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50566"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3406"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/695d3e97e3a20463ab7c8c081843e69e65e952e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.