Skip to main content

Fission CVE-2026-50565

| EUVDEUVD-2026-36101 MEDIUM
Execution with Unnecessary Privileges (CWE-250)
2026-06-10 GitHub_M GHSA-8wcj-mfrc-jx5q
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 19:03 vuln.today
Analysis Generated
Jun 10, 2026 - 19:03 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod - including the user-supplied builder image. This issue has been patched in version 1.24.0.

AnalysisAI

Kubernetes service account token exposure in Fission serverless framework prior to v1.24.0 allows authenticated high-privilege users to escalate cluster privileges via a malicious builder image. Builder pods were created with ServiceAccountName set to fission-builder but without AutomountServiceAccountToken: false, causing the Kubernetes kubelet to automatically inject the fission-builder service account credential into every container in the pod - including untrusted, user-supplied builder images. An attacker with sufficient Fission privileges to register or modify builder environments can exploit this to read the mounted token and authenticate directly to the Kubernetes API using the fission-builder service account's RBAC permissions. No public exploit identified at time of analysis; vendor-released patch is available in v1.24.0.

Technical ContextAI

Fission is a Kubernetes-native serverless framework (CPE: cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:*) that orchestrates build operations via a builder manager component (pkg/buildermgr/envwatcher.go). When a builder environment is registered, Fission creates a Kubernetes Pod with a user-supplied container image alongside an internal fetcher sidecar. The pod was assigned the fission-builder Kubernetes ServiceAccount without setting AutomountServiceAccountToken: false, which is the mechanism that instructs the kubelet to suppress automatic credential injection. By Kubernetes default behavior, the kubelet mounts the ServiceAccount's JWT bearer token into every container at /var/run/secrets/kubernetes.io/serviceaccount/token. This means the user-supplied builder image - which is external and untrusted by nature - received the same fission-builder token as the privileged fetcher sidecar. CWE-250 (Execution with Unnecessary Privileges) captures the root cause: the builder pod operated with broader credential access than its individual components required. The fix in PR #3390 sets AutomountServiceAccountToken: false at pod spec level and re-mounts the token exclusively on the fetcher container via a projected volume, isolating the credential from user-supplied containers. Additional hardening re-clamps the flag after MergePodSpec calls to prevent a patch-supplied PodSpec from inadvertently re-enabling the auto-mount.

RemediationAI

Upgrade Fission to version 1.24.0, which is the vendor-released patch confirmed by the GitHub release tag at https://github.com/fission/fission/releases/tag/v1.24.0 and the security advisory GHSA-8wcj-mfrc-jx5q. The fix sets AutomountServiceAccountToken: false at pod spec level and restricts the fission-builder service account token mount exclusively to the fetcher sidecar via a projected volume, preventing user-supplied builder images from accessing the credential. For deployments that cannot immediately upgrade, a compensating control is to audit and minimize the RBAC permissions bound to the fission-builder service account - reducing the permissions granted by the token limits the blast radius if the token is read by a malicious builder image, though this does not prevent the token from being mounted and read. Another option is to restrict who can register or modify Fission builder environments at the Kubernetes RBAC level, tightening the PR:H requirement further so fewer principals can trigger builder pod creation. Both workarounds have the trade-off of requiring ongoing RBAC management and do not eliminate the underlying token injection; upgrading to v1.24.0 is the only definitive remediation.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-50565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy