What is the CVSS score of CVE-2026-49822?

CVE-2026-49822 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Fission are affected by CVE-2026-49822?

Fission (open-source serverless framework) contains a critical multi-tenant security boundary vulnerability (CVE-2026-49822) that allows low-privilege developers to view Kubernetes resources across…. A patch is available.

How to fix or mitigate CVE-2026-49822?

Within 24 hours: identify all production Fission deployments and document their current version and multi-tenancy status. Within 7 days: upgrade all instances to Fission version 1.24.0 or later; audit KubernetesWatchTrigger configurations and namespace-crossing watchers in access logs. Within 30 days: complete post-upgrade security validation, implement namespace-scoped network policies as defense-in-depth, and review all namespace-level role bindings for principle of least privilege.

Fission CVE-2026-49822

EUVD-2026-36095 HIGH

Improper Access Control (CWE-284)

2026-06-10 GitHub_M

Authentication Bypass Kubernetes

7.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.7 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 10, 2026 - 20:01 EUVD

Source Code Evidence Fetched

Jun 10, 2026 - 18:38 vuln.today

Analysis Generated

Jun 10, 2026 - 18:38 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0.

Articles & Coverage 1

News 12 New Kubernetes Vulnerabilities - 5 Critical, 7 High Severity Jun 11, 2026

AnalysisAI

Cross-namespace information disclosure in Fission prior to 1.24.0 allows a low-privilege developer with namespace-scoped permissions to create a KubernetesWatchTrigger (KWT) that establishes a persistent watch channel against Kubernetes resources in any other namespace, breaking the platform's tenancy boundary. The flaw stems from missing namespace-equality enforcement in the kubewatcher controller, which honored an attacker-supplied Spec.Namespace value and even treated an empty value as cluster-wide visibility. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain developer RBAC in tenant namespace

Delivery

Author KWT with cross-namespace spec.Namespace

Exploit

Apply CRD to own namespace

Execution

Fission controller opens privileged client-go watch

Persist

Stream Pods/Services/Jobs events from victim namespace

Impact

Harvest workload metadata across tenants

Access

Obtain developer RBAC in tenant namespace

Delivery

Author KWT with cross-namespace spec.Namespace

Exploit

Apply CRD to own namespace

Execution

Fission controller opens privileged client-go watch

Persist

Stream Pods/Services/Jobs events from victim namespace

Impact

Harvest workload metadata across tenants

Vulnerability AssessmentAI

Exploitation	Requires a running Fission deployment prior to v1.24.0 on a shared Kubernetes cluster, plus an attacker identity with namespace-scoped RBAC permission to create KubernetesWatchTrigger custom resources (kubernetes.fission.io) in at least one namespace they control - exactly the privilege a normal Fission application developer holds. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 7.7 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N accurately models the threat: network-reachable Kubernetes API, low complexity, low privileges (any developer who can create a KWT in their own namespace), no user interaction, scope change (the controller's cluster-wide privileges are leveraged), and high confidentiality impact with no integrity or availability effect - consistent with a read-only cross-tenant watch leak. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A developer with create permissions on KubernetesWatchTrigger objects in their own namespace (e.g., team-a) submits a KWT manifest whose spec.namespace points at a victim namespace such as kube-system or finance-prod, or leaves spec.namespace empty to obtain a cluster-wide watch. The Fission kubewatcher controller, running with cluster-level privileges, opens a long-lived client-go watch against Pods, Services, ReplicationControllers, or Jobs in the targeted namespace and streams every add/update/delete event - including pod names, labels, annotations, and environment metadata - back through Fission's function invocation path, giving the attacker a persistent surveillance channel across tenancy boundaries.
Remediation	Vendor-released patch: upgrade Fission to version 1.24.0 or later, which adds explicit cross-namespace rejection in pkg/kubewatcher/kubewatcher.go (createKubernetesWatch now returns an error when w.Spec.Namespace differs from the trigger's namespace) and coerces an empty Spec.Namespace to the trigger's own namespace so an unset field can no longer resolve to cluster-wide visibility; release notes are at https://github.com/fission/fission/releases/tag/v1.24.0 and the GHSA advisory is at https://github.com/fission/fission/security/advisories/GHSA-gc3j-79f2-7vvw. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all production Fission deployments and document their current version and multi-tenancy status. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu

CVE-2026-50566 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB

CVE-2026-50545 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ

CVE-2026-50564 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En

CVE-2026-49824 HIGH This Week

8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth

CVE-2026-49822 vulnerability details – vuln.today

Back

Fission CVE-2026-49822

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code