Threat Advisory

Nuclio Flaw Allows Unauthenticated Path Traversal and Arbitrary File Write

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Nuclio, a package that is used for various purposes. The overall risk and impact of these vulnerabilities are significant, as they can lead to remote code execution (RCE) and arbitrary file write. Affected version range is 1.16.5.

CVE-2026-52833 (CVSS 9.8 — Critical): Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE in Nuclio. An attacker can exploit this vulnerability by manipulating the repositories field, allowing for remote code execution.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Nuclio, a package that is used for various purposes. The overall risk and impact of these vulnerabilities are significant, as they can lead to remote code execution (RCE) and arbitrary file write. Affected version range is 1.16.5.

CVE-2026-52833 (CVSS 9.8 — Critical): Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE in Nuclio. An attacker can exploit this vulnerability by manipulating the repositories field, allowing for remote code execution.[emaillocker id="1283"]

CVE-2026-52832 (CVSS 7.5 — High): Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container of Nuclio. An attacker can exploit this vulnerability by traversing through paths and writing files to arbitrary locations, leading to potential data breaches.

These vulnerabilities collectively present a significant risk to administrators who have not applied the latest patches. Administrators should review their exposure and apply updates as soon as possible.

RECOMMENDATION:

We recommend you to update Nuclio to the version 1.16.5.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu