Skip to main content

Fission EUVD-2026-36094

| CVE-2026-49821 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-06-10 GitHub_M
Information Disclosure Kubernetes
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 18:37 vuln.today
Analysis Generated
Jun 10, 2026 - 18:37 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.

Articles & Coverage 1

News 12 New Kubernetes Vulnerabilities - 5 Critical, 7 High Severity Jun 11, 2026

AnalysisAI

Cross-namespace package reference flaw in Fission prior to version 1.24.0 allows an authenticated tenant to point a Package CRD at an Environment in another namespace, because the buildermgr controller never verified that Package.spec.environment.namespace matched Package.metadata.namespace. With CVSS 7.7 and a scope-changed confidentiality impact, a low-privileged user in one namespace can cause the controller to read and build against environment resources belonging to other tenants. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain tenant credentials with Package CRD create rights
Delivery
Identify target namespace and Environment name
Exploit
Submit Package with spec.environment.namespace set to victim namespace
Execution
Bypass or evade admission webhook (absent or failurePolicy=Ignore)
Persist
buildermgr reconciles and resolves cross-namespace Environment
Impact
Exfiltrate confidential Environment/build context from victim namespace
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires Fission < 1.24.0 deployed on a multi-tenant Kubernetes cluster, plus authenticated access sufficient to create or update Package CRDs in at least one namespace (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N describes a network-reachable, low-complexity attack requiring some privileges (a tenant able to create Package CRDs in their own namespace), no user interaction, with scope change and high confidentiality impact but no integrity or availability loss - consistent with a tenant boundary information-disclosure issue rather than RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged tenant with rights to create Package CRDs in their own namespace ns-attacker submits a Package whose spec.environment.namespace points to ns-victim, where another tenant's private Environment resides; the Fission buildermgr controller, running with broader cluster privileges, resolves the cross-namespace Environment and uses it to drive a build for the attacker, leaking confidential build context and environment contents. No public exploit is identified at time of analysis, but the patch diff itself documents the exact unguarded code paths, making a proof-of-concept straightforward to construct.
Remediation Vendor-released patch: upgrade Fission to version 1.24.0 or later (https://github.com/fission/fission/releases/tag/v1.24.0), which adds explicit namespace-equality checks in buildermgr/common.go and buildermgr/pkgwatcher.go and also hardens kubewatcher against an analogous cross-namespace issue per PR https://github.com/fission/fission/pull/3379. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Enumerate all Fission production deployments, document versions, and restrict function package creation privileges to administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu
CVE-2026-50566 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB
CVE-2026-50545 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ
CVE-2026-50564 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En
CVE-2026-49824 HIGH
8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth

Share

EUVD-2026-36094 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy