Two high-severity vulnerabilities in the Kubernetes-native serverless platform Fission were disclosed, both allowing low-privileged tenants to inject unsafe PodSpec fields that can lead to node escape and broader cluster compromise. CVE-2026-50563 affects the Container Executor path, where Function.spec.podspec could be merged into an executor-generated pod definition before a Deployment is created, while CVE-2026-50545 affects the Environment CRD path through insufficient validation of Environment.spec.runtime.podSpec and spec.builder.podSpec. Both issues carry a CVSS v3.1 rating of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, reflecting low attack complexity and high impact to confidentiality, integrity, and availability.
The flaws affect Fission versions prior to 1.24.0, and the project has released fixes in version 1.24.0 alongside related GitHub advisories and pull requests. The disclosures indicate that unsafe passthrough and merge behavior in pod creation logic could let a tenant influence generated pods in ways that break isolation boundaries, turning serverless function deployment features into a path for host-level access and potential cluster takeover. Separately, a malicious Rust crate, onering 1.4.1, was also reported on the same day after being uploaded to crates.io with code designed to exfiltrate project metadata and source code before being removed roughly six hours later, though no evidence of actual use was reported.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-50566 was published as a high-severity vulnerability affecting Fission versions prior to 1.24.0. The flaw lets a tenant with environments.fission.io create or update permissions bypass SecurityContext restrictions to launch privileged containers under the executor's high-privilege service account, creating risk of sandbox escape and cluster compromise.
CVE-2026-50545 and CVE-2026-50563 were publicly disclosed as high-severity flaws affecting Fission before version 1.24.0. One involved Environment CRD podSpec handling and the other the Container Executor path, both enabling dangerous podSpec injection.
Fission released version 1.24.0 to patch both CVE-2026-50545 and CVE-2026-50563, which affected versions prior to 1.24.0. The flaws allowed unsafe podSpec fields to be merged into generated workloads, creating node escape risk.
The malicious onering 1.4.1 release remained available for about six hours before being removed from crates.io. The advisory said there was no evidence of actual usage and that the crate had no dependencies on crates.io.
A malicious version of the Rust package onering, version 1.4.1, was published to crates.io on June 10, 2026. The code attempted to exfiltrate project metadata and source code from projects that included the crate.
The vulnerability later tracked as CVE-2026-50545 was received by security-advisories@github.com on June 10, 2026. The issue affects Fission versions prior to 1.24.0 and can enable node escape and cluster takeover via podSpec passthrough handling.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourcerustsec.org
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.