CVE-2026-29042

EUVD-2026-10013

06.03.2026, 07:16

Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.20, the Nuclio Shell Runtime component contains a command injection vulnerability in how it processes user-supplied arguments. When a function is invoked via HTTP, the runtime reads the X-Nuclio-Arguments header and directly incorporates its value into shell commands without any validation or sanitization. This issue has been patched in version 1.15.20.

Special Element Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
iguazio	nuclio	𝑥 < 1.15.20

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27

Common Weakness Enumeration

CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
The software does not adequately filter user-controlled input for special elements with control implications.

References

https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a

https://github.com/nuclio/nuclio/pull/4030

https://github.com/nuclio/nuclio/releases/tag/1.15.20

https://github.com/nuclio/nuclio/security/advisories/GHSA-95fj-3w7g-4r27