CVE-2026-29042: Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
(updated )
This vulnerability exists in Nuclio’s Shell Runtime component, allowing attackers with function invocation permissions to inject malicious commands via HTTP request headers, execute arbitrary code with root privileges in function containers, steal ServiceAccount Tokens with cluster-admin level permissions, and ultimately achieve complete control over the entire Kubernetes cluster. Recommended CWE classification: CWE-78 (OS Command Injection).
Nuclio Shell Runtime processes the X-Nuclio-Arguments HTTP header without validation or escaping, directly concatenating user input into shell commands executed via sh -c. This allows arbitrary command injection, enabling attackers to read sensitive files (including ServiceAccount tokens) and access the Kubernetes API with cluster-level privileges.
References
- github.com/advisories/GHSA-95fj-3w7g-4r27
- github.com/nuclio/nuclio
- github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
- github.com/nuclio/nuclio/pull/4030
- github.com/nuclio/nuclio/releases/tag/1.15.20
- github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27
- nvd.nist.gov/vuln/detail/CVE-2026-29042
Code Behaviors & Features
Detect and mitigate CVE-2026-29042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →