Skip to main content

Fission EUVD-2026-36096

| CVE-2026-49823 HIGH
Improper Access Control (CWE-284)
2026-06-10 GitHub_M
Authentication Bypass Kubernetes
7.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 18:39 vuln.today
Analysis Generated
Jun 10, 2026 - 18:39 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types - Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0.

Articles & Coverage 1

News 12 New Kubernetes Vulnerabilities - 5 Critical, 7 High Severity Jun 11, 2026

AnalysisAI

Cross-namespace access control bypass in Fission prior to 1.24.0 allows an authenticated tenant to reference Package objects belonging to other Kubernetes namespaces because the admission webhook validated namespaces for Secret and ConfigMap references but omitted the equivalent check for PackageRef.Namespace. A low-privileged user with rights to create Function objects in their own namespace can therefore reach Package contents in arbitrary namespaces, producing a scope-changing confidentiality breach (CVSS 7.7, S:C, C:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv namespace credentials
Delivery
Identify target namespace and Package name
Exploit
Submit Function spec with cross-namespace PackageRef
Execution
Webhook fails to validate PackageRef.Namespace
Persist
Executor resolves Package with controller privileges
Impact
Invoke function and read leaked package contents
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated Kubernetes principal with permission to create or update Fission Function custom resources in at least one namespace on a cluster running Fission prior to 1.24.0 where the Fission admission webhook is active (the webhook is the vulnerable surface - clusters running with admission webhook failurePolicy=Ignore are also exposed via the executor path until 1.24.0's defense-in-depth checks land). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) accurately portrays a network-reachable, low-complexity, authenticated, scope-changing read primitive: a tenant with namespace-scoped Function-create rights can exfiltrate Package contents from any namespace, which in multi-tenant Kubernetes clusters can include proprietary function code or build artifacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained credentials for a low-privileged service account in tenant namespace 'ns-attacker' submits a Function spec whose Spec.Package.PackageRef points to {Name: 'private-pkg', Namespace: 'ns-victim'}; the pre-1.24.0 admission webhook accepts the object because it never compared the PackageRef namespace to the Function namespace. When the Fission executor instantiates the function, it resolves the referenced Package using controller-level permissions and exposes its contents to the attacker's invocation path, leaking proprietary code or embedded artifacts from a namespace the attacker has no direct RBAC on. …
Remediation Vendor-released patch: upgrade Fission to v1.24.0 or later (https://github.com/fission/fission/releases/tag/v1.24.0), which adds the missing PackageRef.Namespace check inside the admission webhook (pkg/webhook/function.go) and mirrored defense-in-depth checks in the newdeploy and poolmgr executors. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and document all Fission deployments and their versions in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu
CVE-2026-50566 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB
CVE-2026-50545 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ
CVE-2026-50564 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En
CVE-2026-49824 HIGH
8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth

Share

EUVD-2026-36096 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy