Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fission, an open‑source, Kubernetes‑native serverless platform, enforces that a function’s referenced secrets and config maps belong to the same namespace as the function. However, it mistakenly does not perform this check for environment references. An attacker who can create or modify a function can specify an EnvironmentRef that points to an environment in another namespace, allowing the function to access resources such as secrets or config maps owned by that other namespace. This flaw is classified as CWE‑284 (Improper Access Control) and CWE‑863 (Unexpected Restriction of Operations).

Affected Systems

The affected product is Fission, version 1.23.x and earlier. The issue was addressed in release 1.24.0, which added the missing namespace validation for EnvironmentRef objects. All installations running any pre‑1.24.0 version are vulnerable.

Risk and Exploitability

The CVSS score is 8.5, indicating a high severity impact. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker with permissions to create or update Functions, or compromise the admission webhook, who supplies an EnvironmentRef that spans namespaces. By doing so, the attacker can read or use sensitive data from the target namespace, potentially enabling further lateral movement or privilege escalation within the cluster. The exploit is straightforward once the attacker can alter function definitions.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.24.0 or later so that EnvironmentRef namespace validation is applied.
  • Audit existing Functions that reference EnvironmentRef objects and modify them so the referenced environment resides in the same namespace as the Function.
  • If an upgrade cannot be performed immediately, restrict cross‑namespace EnvironmentRef references by configuring the admission webhook to enforce same‑namespace references or temporarily revoke permissions for creating or updating Functions until the patch is applied.

Generated by OpenCVE AI on June 10, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0.
Title Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
Weaknesses CWE-284
CWE-863
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:21:55.488Z

Reserved: 2026-06-01T18:50:36.055Z

Link: CVE-2026-49824

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:10.517

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-49824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:15:24Z

Weaknesses