MEDIUM 4.3

CVE-2026-50569: Fission HTTP Trigger URL Validation Bypass

Fission, an open-source Kubernetes serverless framework, contains a validation bypass in its HTTP trigger configuration. Prior to version 1.25.0, two URL-related fields—RelativeURL and Prefix—were not properly validated when HTTPTrigger resources were created directly through kubectl or the Kubernetes REST API. While these fields were validated at the CLI level, the validation logic was absent from the core application and its API server rules. This means an attacker with Kubernetes API access could bypass URL restrictions by creating or modifying HTTPTrigger resources directly, potentially routing traffic to unintended functions or exposing restricted endpoints.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL — and CEL had no rules on those fields either — so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

HTTPTriggerSpec.Validate() in Fission versions prior to 1.25.0 validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but omitted validation of RelativeURL and Prefix fields. Validation of these two fields existed only in the CLI layer (pkg/fission-cli/cmd/httptrigger/create.go:83). Following the CRD modernization, the webhook-based validation was replaced with API-server CEL (Common Expression Language) rules, but those rules did not include constraints on RelativeURL and Prefix. Consequently, HTTPTrigger resources created via kubectl apply or direct REST API calls bypassed all URL-level validation checks. This represents an incomplete migration from webhook to CEL-based validation, leaving a gap in the security model.

Business impact

For organizations running Fission on Kubernetes, this vulnerability allows authenticated users with API access to circumvent intended HTTP routing policies. An insider or compromised service account could create or modify HTTPTrigger configurations to redirect traffic to unauthorized functions, potentially exposing sensitive endpoints or data flows that should be restricted. The impact is contained to users with Kubernetes API credentials and depends on the trust model and RBAC policies in place, but it does undermine the integrity of HTTP routing controls meant to enforce application boundaries.

Affected systems

Fission versions prior to 1.25.0 are affected. Any Kubernetes cluster running Fission as a serverless platform and allowing HTTPTrigger resource creation through Kubernetes APIs (kubectl, REST clients, GitOps tools, etc.) is at risk. The vulnerability does not affect users who deploy HTTPTrigger configurations exclusively through the CLI, which includes the missing validation logic.

Exploitability

Exploitation requires Kubernetes API access—specifically the ability to create or patch HTTPTrigger resources in the Fission namespace. The attack is straightforward: an authenticated user simply omits or misconfigures RelativeURL and Prefix values that would normally be rejected. No special tools or complex techniques are needed. However, the threat is limited to users with existing Kubernetes credentials. There is no unauthenticated vector, and public exploit code is not known to be in circulation (CISA KEV status: not listed).

Remediation

Upgrade Fission to version 1.25.0 or later, which patches HTTPTriggerSpec.Validate() to include proper validation of RelativeURL and Prefix fields in the API-server CEL rules. No workarounds are available for older versions. Administrators should also audit existing HTTPTrigger resources in their clusters to ensure URL configurations are intentional and appropriate.

Patch guidance

Verify the patch by consulting the official Fission release notes for version 1.25.0. Apply the upgrade in a controlled manner, testing HTTPTrigger creation and modification workflows in a non-production environment first. After upgrade, confirm that the API-server validation now rejects invalid or missing RelativeURL and Prefix values as expected. Review your Kubernetes RBAC policies to limit HTTPTrigger creation and modification to trusted users or service accounts.

Detection guidance

Monitor Kubernetes audit logs for HTTPTrigger resource creation and modification events, especially from unexpected service accounts or users. Look for PATCH or CREATE operations on HTTPTrigger objects that might bypass CLI validation. If running a pre-1.25.0 version, manually audit existing HTTPTrigger resources using kubectl get httptrigger -A -o yaml and verify that RelativeURL and Prefix fields are explicitly set to intended values. Implement a policy engine (e.g., Kyverno, OPA/Gatekeeper) to enforce HTTPTrigger field requirements at the cluster level until you upgrade.

Why prioritize this

Although the CVSS score is moderate (4.3), this vulnerability is prioritized because it represents a direct bypass of a security control—validation intended to enforce application routing policies. It affects authenticated insiders or compromised service accounts, making it relevant to organizations concerned with insider threats and lateral movement. The fix is straightforward and well-contained in a single version bump, making this an ideal candidate for immediate patching. Organizations with strict HTTP routing policies or multi-tenant Kubernetes clusters should treat this as higher priority.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects the requirement for authenticated Kubernetes API access (PR:L), the lack of confidentiality impact, and limited availability impact. The vulnerability does enable integrity compromise of HTTP routing configuration (I:L). The score appropriately captures the threat as contained within the Kubernetes API boundary but does not fully reflect the policy-bypass nature of the issue or its value to insiders; security teams should consider contextual factors like RBAC posture and multi-tenancy when assessing risk in their own environments.

Frequently asked questions

Do I need to patch if I only deploy HTTPTrigger resources via the Fission CLI?

No immediate risk, since the CLI includes validation for RelativeURL and Prefix. However, you should still upgrade to 1.25.0 to prevent accidental bypasses if someone uses kubectl or API clients directly, and to close the validation gap for consistency.

What fields are now properly validated in version 1.25.0?

HTTPTriggerSpec.Validate() has been enhanced so that RelativeURL and Prefix are now validated at the API server level via CEL rules, aligning with the validation that was already in place for Methods, FunctionReference, Host, IngressConfig, and CorsConfig.

How can I audit my cluster for potentially misconfigurations left by this vulnerability?

Use kubectl get httptrigger -A -o yaml to list all HTTPTrigger resources and manually inspect RelativeURL and Prefix fields for values that seem unintended or are missing. Cross-reference against your intended routing policies. Also review Kubernetes audit logs to see which users or service accounts created or modified HTTPTrigger resources.

Does this vulnerability allow unauthenticated access to Kubernetes?

No. It requires existing Kubernetes API credentials and the ability to create or patch HTTPTrigger resources. It does not bypass Kubernetes authentication or API server access controls.

This analysis is provided for informational purposes and based on publicly available CVE data current as of the publication date. Security teams should verify patch version numbers and affected product details against the official vendor advisory before deploying fixes. CVSS scores and severity ratings are subject to change. This vulnerability requires Kubernetes API access and does not represent a remote unauthenticated attack. Organizations should assess risk in the context of their own RBAC policies, multi-tenancy model, and insider threat landscape. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).