Skip to main content

Fission EUVD-2026-36097

| CVE-2026-49824 HIGH
Improper Access Control (CWE-284)
2026-06-10 GitHub_M
Authentication Bypass Kubernetes
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 18:41 vuln.today
Analysis Generated
Jun 10, 2026 - 18:41 vuln.today

DescriptionNVD

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0.

Articles & Coverage 1

News 12 New Kubernetes Vulnerabilities - 5 Critical, 7 High Severity Jun 11, 2026

AnalysisAI

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an authenticated tenant with permission to create Function objects in their own namespace to reference an Environment in a different namespace, because the admission webhook in pkg/webhook/function.go validated namespace equality only for secrets and configmaps, not for spec.environment.namespace. An attacker can pivot across Kubernetes namespace boundaries and pull in environment configuration belonging to other tenants (CVSS 8.5, scope-changed, high confidentiality impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain tenant RBAC in attacker namespace
Delivery
Identify target Environment in victim namespace
Exploit
Submit Function with cross-namespace spec.environment.namespace
Execution
Webhook accepts manifest (missing check)
Persist
Executor resolves victim Environment for attacker function
Impact
Invoke function to consume victim runtime configuration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold Kubernetes RBAC permission to create or update fission.io Function custom resources in at least one namespace on the target cluster (matching the CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N tells a consistent story with the description: network-reachable Kubernetes API, low complexity, low privileges required (the attacker must be able to create Function resources in some namespace, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained credentials for a low-privileged tenant namespace in a shared Fission cluster submits a Function manifest in their own namespace whose spec.environment.namespace points at a victim tenant's namespace; the pre-1.24.0 admission webhook accepts the manifest because it never compared the two namespaces, and Fission's executor then resolves and uses the victim's Environment when servicing the attacker's function invocations. No public weaponized exploit is identified at time of analysis, but the patch diff in PR #3389 makes the vulnerable code path and the trigger condition explicit, so a working POC is straightforward to derive.
Remediation Vendor-released patch: upgrade Fission to version 1.24.0 or later (https://github.com/fission/fission/releases/tag/v1.24.0), which adds the missing cross-namespace check for spec.environment.namespace in pkg/webhook/function.go and defence-in-depth checks in the newdeploy and poolmgr executors so that stale Function objects created before the webhook was active are still rejected. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Fission deployments and confirm versions; flag any version prior to 1.24.0 as at-risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50563 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu
CVE-2026-50566 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB
CVE-2026-50545 CRITICAL
9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ
CVE-2026-50564 CRITICAL
9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En
CVE-2026-50570 HIGH
8.5 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows a tenant with pe

Share

EUVD-2026-36097 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy