CVE-2026-29042

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a	Patch
https://github.com/nuclio/nuclio/pull/4030	Issue Tracking Patch
https://github.com/nuclio/nuclio/releases/tag/1.15.20	Product Release Notes
https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:iguazio:nuclio:*:*:*:*:*:*:*:*

History

10 Mar 2026, 19:32

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:iguazio:nuclio::::::::
References	~~() https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a -~~	() https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a - Patch
References	~~() https://github.com/nuclio/nuclio/pull/4030 -~~	() https://github.com/nuclio/nuclio/pull/4030 - Issue Tracking, Patch
References	~~() https://github.com/nuclio/nuclio/releases/tag/1.15.20 -~~	() https://github.com/nuclio/nuclio/releases/tag/1.15.20 - Product, Release Notes
References	~~() https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27 -~~	() https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27 - Exploit, Mitigation, Vendor Advisory
Summary		(es) Nuclio es un 'Serverless' framework para eventos en tiempo real y procesamiento de datos. Antes de la versión 1.15.20, el componente Nuclio Shell Runtime contiene una vulnerabilidad de inyección de comandos en la forma en que procesa los argumentos proporcionados por el usuario. Cuando se invoca una función a través de HTTP, el runtime lee el encabezado X-Nuclio-Arguments e incorpora directamente su valor en comandos de shell sin ninguna validación o saneamiento. Este problema ha sido parcheado en la versión 1.15.20.
First Time		Iguazio nuclio Iguazio

06 Mar 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 07:16

Updated : 2026-03-10 19:32

NVD link : CVE-2026-29042

Mitre link : CVE-2026-29042

CVE.ORG link : CVE-2026-29042

JSON object : View

Products Affected

iguazio

nuclio

CWE

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

9.8 /10