CVE-2026-52831: Nuclio cron trigger shell command injection leading to RCE
CVE-2026-52831 is verified against github.com/nuclio/nuclio · go affected versions: <= 1.15.27 (all versions before 0.0.0-20260601075854-3356b86a8bfa) vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00283.
pruva-verify REPRO-2026-00283 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00283/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Nuclio controller builds curl invocation strings for Kubernetes CronJob-based cron triggers and stores them as /bin/sh -c command arguments without adequate sanitization. Malicious event.headers keys can break quoting in --header arguments, and event.body can leverage shell command substitution, resulting in arbitrary OS command execution in the cluster. Affected versions include Nuclio 1.15.27 and earlier, with the documented fix at the post-20260601075854 build referenced by advisories.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.