CVE-2026-29042

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a	Patch
https://github.com/nuclio/nuclio/pull/4030	Issue Tracking Patch
https://github.com/nuclio/nuclio/releases/tag/1.15.20	Product Release Notes
https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:iguazio:nuclio:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 07:16

Updated : 2026-03-10 19:32

NVD link : CVE-2026-29042

Mitre link : CVE-2026-29042

CVE.ORG link : CVE-2026-29042

JSON object : View

Products Affected

iguazio

nuclio

CWE

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

{"id": "CVE-2026-29042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T07:16:01.743", "references": [{"url": "https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nuclio/nuclio/pull/4030", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nuclio/nuclio/releases/tag/1.15.20", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-75"}]}], "descriptions": [{"lang": "en", "value": "Nuclio is a \"Serverless\" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20."}, {"lang": "es", "value": "Nuclio es un 'Serverless' framework para eventos en tiempo real y procesamiento de datos. Antes de la versi\u00f3n 1.15.20, el componente Nuclio Shell Runtime contiene una vulnerabilidad de inyecci\u00f3n de comandos en la forma en que procesa los argumentos proporcionados por el usuario. Cuando se invoca una funci\u00f3n a trav\u00e9s de HTTP, el runtime lee el encabezado X-Nuclio-Arguments e incorpora directamente su valor en comandos de shell sin ninguna validaci\u00f3n o saneamiento. Este problema ha sido parcheado en la versi\u00f3n 1.15.20."}], "lastModified": "2026-03-10T19:32:49.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:iguazio:nuclio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA51227C-DF77-4ABD-AE30-642111BC7A15", "versionEndExcluding": "1.15.20"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}