Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.9

Nuclio Serverless Framework Command Injection in Shell Runtime

CVE-2026-29042 GHSA-95fj-3w7g-4r27 GHSA-95fj-3w7g-4r27
Summary

The Nuclio Serverless framework has a security flaw that allows an attacker to inject malicious commands, potentially allowing them to access or modify sensitive data. This affects all versions of the framework prior to 1.15.20 and has been fixed in the latest version. To protect your system, update to version 1.15.20 or later.

What to do
  • Update github.com nuclio to version 1.15.20.
  • Update nuclio github.com/nuclio/nuclio to version 1.15.20.
Affected software
VendorProductAffected versionsFix available
github.com nuclio <= 1.15.9 1.15.20
nuclio github.com/nuclio/nuclio <= 1.15.20 1.15.20
iguazio nuclio <= 1.15.20 –
Original title
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it proces...
Original description
Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.
nvd CVSS4.0 8.9
Vulnerability type
CWE-75
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026