Cyber Resilience

CVE-2026-50570

High

Published: 10 June 2026

Published
10 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
EPSS Score 0.0027 19.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-50570 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor…

more

merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Incomplete capability denylist in admission webhook directly enables unauthorized privilege escalation via CAP_SYS_TIME in containers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269 CWE-732

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269 CWE-732

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269 CWE-732

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269 CWE-732

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

addresses: CWE-269 CWE-732

The control mandates review of privilege assignments to ensure they are appropriate and minimal.

addresses: CWE-269 CWE-732

Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain.

addresses: CWE-269 CWE-732

Manages privileges for change control activities and provides oversight to prevent improper privilege use in configuration updates.

addresses: CWE-269 CWE-732

Reviewing changes for security impacts prevents introduction of improper privilege assignments or escalations.

References