CVE-2026-29042
published 2026-03-06CVE-2026-29042: Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.36%
81.6th percentile
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | nuclio_nuclio | >= 0 < 1.15.20 | 1.15.20 |
| iguazio | nuclio | < 1.15.20 | 1.15.20 |
| nuclio | nuclio | < 1.15.20 | 1.15.20 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to Nuclio Shell Runtime functions for the presence of shell metacharacters or command injection payloads within the X-Nuclio-Arguments header (e.g., semicolons, pipes, backticks, $() subshell syntax). ↗
- →Alert on Nuclio Shell Runtime instances running versions prior to 1.15.20, as they are vulnerable to command injection via the X-Nuclio-Arguments HTTP header. ↗
- →Inspect HTTP traffic to Nuclio function endpoints for anomalous or oversized X-Nuclio-Arguments header values that may indicate exploitation attempts. ↗
- ·The vulnerability is specific to the Nuclio Shell Runtime component; other Nuclio runtimes (e.g., Python, Go, Node.js) are not indicated as affected by this CVE. ↗
- ·The fix is available in version 1.15.20; any deployment of github.com/nuclio/nuclio below this version using the Shell Runtime should be treated as vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation in github.com/nuclio/nuclio
osv·2026-03-10
CVE-2026-29042 Nuclio Shell Runtime Command Injection Leading to Privilege Escalation in github.com/nuclio/nuclio
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation in github.com/nuclio/nuclio
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation in github.com/nuclio/nuclio.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/nuclio/nuclio before v1.15.20.
OSV
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
osv·2026-03-04
CVE-2026-29042 [HIGH] Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
## Summary
This vulnerability exists in Nuclio's Shell Runtime component, allowing attackers with function invocation permissions to inject malicious commands via HTTP request headers, execute arbitrary code with root privileges in function containers, steal ServiceAccount Tokens with cluster-admin level permissions, and ultimately achieve complete control over the entire Kubernetes cluster. Recommended CWE classification: CWE-78 (OS Command Injection).
Nuclio Shell Runtime processes the `X-Nuclio-Arguments` HTTP header without validation or escaping, directly concatenating user input into shell commands executed via `sh -c`. This allows arbitrary command injection, enabling attackers to read sensitive files (includi
GHSA
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
ghsa·2026-03-04
CVE-2026-29042 [HIGH] CWE-75 Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
Nuclio Shell Runtime Command Injection Leading to Privilege Escalation
## Summary
This vulnerability exists in Nuclio's Shell Runtime component, allowing attackers with function invocation permissions to inject malicious commands via HTTP request headers, execute arbitrary code with root privileges in function containers, steal ServiceAccount Tokens with cluster-admin level permissions, and ultimately achieve complete control over the entire Kubernetes cluster. Recommended CWE classification: CWE-78 (OS Command Injection).
Nuclio Shell Runtime processes the `X-Nuclio-Arguments` HTTP header without validation or escaping, directly concatenating user input into shell commands executed via `sh -c`. This allows arbitrary command injection, enabling attackers to read sensitive files (includi
No detection rules found.
No public exploits indexed.
2026-03-06
Published