Skip to main content

Fission CVE-2026-50545

| EUVD-2026-36098 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-10 GitHub_M
Privilege Escalation Kubernetes
9.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
CRITICAL
qualitative
NVD
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 18:42 vuln.today
Analysis Generated
Jun 10, 2026 - 18:42 vuln.today
CVE Published
Jun 10, 2026 - 17:26 nvd
CRITICAL 9.9

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. This issue has been patched in version 1.24.0.

Articles & Coverage 2

News 12 New Kubernetes Vulnerabilities - 5 Critical, 7 High Severity Jun 11, 2026 News Critical Privilege Escalation in Kubernetes Fission prior to 1.24.0 - CVE-2026-50545 Jun 10, 2026

AnalysisAI

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain RBAC to create Environments
Delivery
Submit Environment with malicious podSpec passthrough
Exploit
MergePodSpec propagates AutomountServiceAccountToken
Execution
Kubelet mounts fission-builder SA token in attacker container
Persist
Read token and call Kubernetes API
Impact
Pivot to cluster-scoped privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold Kubernetes RBAC permitting create or update on Fission Environment custom resources (environments.fission.io) in at least one namespace where the Fission buildermgr/executor is reconciling - this is the PR:L authenticated prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.9 score is driven by Scope:Changed plus full CIA impact, which is consistent with a tenant breaking out of its pod boundary into cluster-wide ServiceAccount privileges - a realistic outcome here given the SA-token exposure documented in the PR diff. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with namespace-level RBAC to create a Fission Environment (for example, a developer in a multi-tenant cluster, or an attacker who has compromised a CI service account) submits an Environment whose spec.builder.podSpec sets AutomountServiceAccountToken=true and points the builder container image at attacker-controlled code. When the buildermgr reconciles the Environment, MergePodSpec propagates the flag, and kubelet mounts the fission-builder ServiceAccount token inside the attacker's builder container; the attacker's container reads the token and calls the Kubernetes API with fission-builder privileges, pivoting toward cluster-wide compromise. …
Remediation Upgrade to Fission v1.24.0 or later (release: https://github.com/fission/fission/releases/tag/v1.24.0), which corresponds to the upstream fix in PRs https://github.com/fission/fission/pull/3390 and https://github.com/fission/fission/pull/3391 - these explicitly set AutomountServiceAccountToken=false on the pod, re-clamp it after MergePodSpec runs, and re-mount the fission-builder SA token only on the fetcher sidecar via a projected volume. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Fission deployments, confirm current versions, and audit which users and service accounts hold permission to create or modify Environment resources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu
CVE-2026-50566 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB
CVE-2026-50564 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En
CVE-2026-49824 HIGH
8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth
CVE-2026-50570 HIGH
8.5 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with pe

Share

CVE-2026-50545 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy