Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fission's KubernetesWatchTrigger feature allows a developer with limited cluster rights to create a trigger in their own namespace. The trigger can subscribe to and receive events from any other namespace, effectively providing a persistent surveillance channel. This cross‑namespace event leakage enables unauthorized access to data and state changes that the developer should not observe, an information disclosure vulnerability classified as CWE‑284 (Improper Access Control) and CWE‑862 (Missing Authorization Check).

Affected Systems

All users of the open‑source Fission serverless framework prior to version 1.24.0 are affected. The vendor is Fission (fission:fission) and the patch was released in the 1.24.0 release. Earlier releases—including any minor or patch versions before 1.24.0—do not include the fix.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact risk for systems that use Fission. Because the exploitation requires only the ability to create a KubernetesWatchTrigger—which is typically granted to developers—an attacker inside a Kubernetes cluster can leverage this easily. EPSS data is not available, and the vulnerability is not listed in CISA KEV, but the lack of credential or privilege escalation does not reduce the likelihood of exploitation in environments with permissive developer access.

Generated by OpenCVE AI on June 10, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.24.0 or later, which removes the cross‑namespace watch capability.
  • If an upgrade is not immediately possible, restrict role bindings so that users cannot create or modify KubernetesWatchTrigger objects across namespaces.
  • If possible, clean up any existing KubernetesWatchTrigger objects that span namespaces and disable the watch trigger functionality for untrusted namespaces.

Generated by OpenCVE AI on June 10, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0.
Title Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:43:43.806Z

Reserved: 2026-06-01T18:50:36.055Z

Link: CVE-2026-49822

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:10.243

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-49822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses