Skip to content
Verified reproduction

CVE-2026-52831: Nuclio cron trigger shell command injection leading to RCE

CVE-2026-52831 is verified against github.com/nuclio/nuclio · go affected versions: <= 1.15.27 (all versions before 0.0.0-20260601075854-3356b86a8bfa) vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00283.

REPRO-2026-00283 github.com/nuclio/nuclio · go RCE Variant found Jul 11, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 89m 0s
Tool calls 384
Spend $19.48
Affected <= 1.15.27 (all versions before 0.0.0-20260601075854-3356b86a8bfa)
$ pruva-verify REPRO-2026-00283
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00283/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Nuclio controller builds curl invocation strings for Kubernetes CronJob-based cron triggers and stores them as /bin/sh -c command arguments without adequate sanitization. Malicious event.headers keys can break quoting in --header arguments, and event.body can leverage shell command substitution, resulting in arbitrary OS command execution in the cluster. Affected versions include Nuclio 1.15.27 and earlier, with the documented fix at the post-20260601075854 build referenced by advisories.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.