CVE-2026-29042

Name of the Vulnerable Software and Affected Versions Nuclio versions prior to 1.15.20

Description Nuclio's Shell Runtime component contains a command injection issue. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without validation or sanitization. This allows attackers with function invocation permissions to inject malicious commands, potentially executing arbitrary code with root privileges in function containers, stealing ServiceAccount Tokens with cluster-admin level permissions, and ultimately gaining complete control over the Kubernetes cluster. The vulnerability stems from the lack of validation when processing user-supplied arguments in the getCommandArguments function and the subsequent execution of these arguments using sh -c. Attackers can exploit this by crafting malicious payloads in the X-Nuclio-Arguments header, leveraging shell metacharacters like semicolons, pipes, and backticks to inject arbitrary commands. The vulnerability affects all versions that include the Shell Runtime component. A successful exploit can lead to complete cluster compromise, including data breaches, supply chain attacks, and ransomware deployment.

Recommendations Disable the Shell Runtime by setting enabled: false in the Nuclio platform configuration. Restrict function deployment permissions using Role-Based Access Control (RBAC) to limit who can deploy functions. Implement strict input validation in the getCommandArguments function to filter out unsafe characters. Remove the use of sh -c execution and use parameterized command execution instead. Limit the permissions of the ServiceAccount used by function pods to reduce the potential impact of a successful exploit.