Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionNVD
Summary
Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace - far beyond the Function.spec.secrets allowlist that the function specification suggests.
Affected component
pkg/executor/executortype/poolmgr/gp_deployment.go:154-156- pool-manager runtime podServiceAccountName.pkg/executor/executortype/newdeploy/newdeploy.go:225-227- new-deploy runtime podServiceAccountName.pkg/utils/serviceaccount.go:51-64-fission-fetcherRBAC: namespace-widegetonsecrets/configmaps.
Impact
A user able to deploy or update a function in any namespace where Fission runtime pods are scheduled could:
- Read every secret in that namespace (TLS keys, OIDC client secrets, database credentials, cloud provider credentials).
- Read every configmap in that namespace.
- Use those credentials to pivot to other Kubernetes resources or external systems the secrets unlock.
This violates the principle that Function.spec.secrets is the authoritative declaration of which secrets a function can read.
Root cause
The fetcher sidecar legitimately needs the SA token to call the Fission control plane and fetch package archives. Setting ServiceAccountName: fission-fetcher on the pod gives every container in the pod (including the user container) the automounted token. Kubernetes does not provide per-container service-account scoping inside a single pod, so the user container has to be moved into a separate identity / token-mount scheme.
Fix
Released in v1.23.0:
- PR #3366 (commit
fe1842ef): - The user function container now sets
AutomountServiceAccountToken: falseat the container level (via projected-volume token suppression), so the user container no longer sees the pod's SA token even though the fetcher sidecar still does. - The fetcher sidecar retains its existing token mount (separate projected volume) since it needs cluster API access for its own work.
- For the few legitimate use cases where a function needs its own Kubernetes API access, the user is expected to mount a different ServiceAccount via
Function.spec.podspecwith the minimum necessary RBAC (documented separately).
Mitigation (until upgrade)
- Restrict who can create / update
FunctionandPackageCRDs in your cluster - treat the ability to ship function code as equivalent to namespace-wide secret read. - Reduce the
fission-fetcherClusterRole / Role scope where possible (e.g. constrain it to specific named secrets via separate Role bindings). - Add NetworkPolicy egress rules denying function pods access to the Kubernetes API server (this blunts the token even if it leaks).
AnalysisAI
Privilege escalation in Fission (Kubernetes serverless framework) versions <= 1.22.0 allows any user able to deploy or update a Function CRD to read every Secret and ConfigMap in the runtime namespace, bypassing the Function.spec.secrets allowlist. The flaw stems from runtime pods running under the namespace-privileged fission-fetcher ServiceAccount whose automounted token is reachable by the user-code container alongside the fetcher sidecar. No public exploit identified at time of analysis, but the vendor-issued advisory (GHSA-85g2-pmrx-r49q) describes a trivially reachable abuse path once a function can be deployed.
Technical ContextAI
Fission is an open-source serverless/FaaS platform built on Kubernetes (Go module github.com/fission/fission). It executes user code in runtime pods composed of a fetcher sidecar (which retrieves function package archives and configuration from the Fission control plane) and a user-code container. Pods were assigned ServiceAccountName: fission-fetcher in pkg/executor/executortype/poolmgr/gp_deployment.go and pkg/executor/executortype/newdeploy/newdeploy.go, and that ServiceAccount has namespace-wide get on secrets and configmaps (pkg/utils/serviceaccount.go). Kubernetes does not support per-container ServiceAccount scoping within a single pod, so by default kubelet projects the SA token to /var/run/secrets/kubernetes.io/serviceaccount/token in every container - mapping cleanly to CWE-250 (Execution with Unnecessary Privileges), where the user-code container inherits cluster API privileges it never needed.
RemediationAI
Vendor-released patch: upgrade Fission to v1.23.0 (https://github.com/fission/fission/releases/tag/v1.23.0), which sets AutomountServiceAccountToken=false at the pod level and re-mounts the fetcher SA token via a projected volume only on the fetcher sidecar (PR #3366, https://github.com/fission/fission/pull/3366). If upgrade is not immediately possible, the vendor recommends three compensating controls with trade-offs to weigh: tightly restrict who can create or update Function and Package CRDs and treat that permission as equivalent to namespace-wide secret read (effective but operationally restrictive for teams that delegate function deployment); narrow the fission-fetcher ClusterRole/Role to specific named secrets via separate RoleBindings (reduces blast radius but may break functions that legitimately rely on broader fetcher reads); and add a NetworkPolicy egress rule denying function pods access to the Kubernetes API server (blunts the leaked token but will break any function or sidecar that legitimately calls the API).
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36092
GHSA-85g2-pmrx-r49q