Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fission is a Kubernetes‑native serverless framework. Prior to version 1.24.0 the admission webhook validates namespace for Secret and ConfigMap references but not for Package references. An attacker can craft a Function spec with a PackageRef that points to a namespace they do not own, enabling the Function pod to read data stored in that namespace. This flaw can lead to information disclosure and possible privilege escalation. The weakness is classified as CWE‑284 and CWE‑863.

Affected Systems

The vulnerability affects all releases of the open‑source Fission framework prior to version 1.24.0, including the 1.23.x series and earlier. Users running those versions in a multi‑namespace Kubernetes cluster are impacted.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity flaw. Because the admission webhook processes Function objects submitted by cluster users, it is inferred that an attacker with permission to create or modify Functions could exploit the vulnerability. The EPSS score is not available and the flaw is not yet listed in the CISA KEV catalog, but the lack of namespace validation enables the attacker to read data across namespaces once the Function is deployed.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fission installation to version 1.24.0 or later, which applies namespace validation for Package references.
  • Restrict Function creation privileges so that only users who have access to the target namespace can submit Function specs that reference Packages.
  • Audit existing Function objects for PackageRef.Namespace values that reference other namespaces and correct or delete them; monitor admission logs for suspicious PackageRef entries.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0.
Title Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
Weaknesses CWE-284
CWE-863
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:38:29.382Z

Reserved: 2026-06-01T18:50:36.055Z

Link: CVE-2026-49823

cve-icon Vulnrichment

Updated: 2026-06-10T19:38:15.734Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:10.380

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-49823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:15:24Z

Weaknesses