CVE-2026-50565 - Vulnerability Details

- Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.

Published: 2026-06-10

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when Fission builder pods created before version 1.24.0 automatically mount the fission‑builder ServiceAccount token into every container, including user‑supplied builder images. This exposes credentials that let the builder container authenticate to the Kubernetes API with the fission‑builder ServiceAccount, potentially granting unauthorized privilege escalation. The issue aligns with CWE‑250, CWE‑269, and CWE‑538.

Affected Systems

Any deployment of Fission older than v1.24.0 is affected. The product is the Fission serverless framework, and any instance running a version prior to 1.24.0 may allow this token leakage.

Risk and Exploitability

The CVSS score of 4.9 rates the vulnerability as moderate, and no EPSS score is available, indicating a lack of publicly documented exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to control or influence the builder pod environment, which is generally limited to users who can deploy or modify functions. The risk is therefore moderate, and applying the patch that removes token auto‑mounting is the recommended mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fission

affected

Version	Status	Constraints
`< 1.24.0`	affected	—

No data.

Vendor Product Confidence Versions

Fission

100%

Version	Status	Scheme	Platform
`[0,1.24.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Fission to v1.24.0 or newer to eliminate automatic ServiceAccount token mounting.
If upgrading cannot be performed immediately, edit existing builder pod templates to set AutomountServiceAccountToken: false.
Restrict the fission‑builder ServiceAccount to only the permissions required for its role and apply appropriate role‑based access control rules so that even if a token is exposed, privilege escalation is limited.

Generated by OpenCVE AI on June 10, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8wcj-mfrc-jx5q	Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00255.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/fission/fission/pull/3390
https://github.com/fission/fission/releases/tag/v1.24.0
https://github.com/fission/fission/security/advisories/GHSA-8wcj-mfrc-jx5q

History

Thu, 11 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fission Fission fission
Vendors & Products		Fission Fission fission

Wed, 10 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.
Title		Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container
Weaknesses		CWE-250 CWE-269 CWE-538
References		https://github.com/fission/fission/pull/3390 https://github.com/fission/fission/releases/tag/v1.24.0 https://github.com/fission/fission/security/advisories/GHSA-8wcj-mfrc-jx5q
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Fission Fission

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T17:28:27.457Z

Updated: 2026-06-10T18:42:31.704Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50565

Vulnrichment

Updated: 2026-06-10T18:41:53.748Z

NVD

Status : Deferred

Published: 2026-06-10T18:17:12.877

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50565

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T10:41:16Z

Weaknesses

CWE-250
Execution with Unnecessary Privileges
CWE-269
Improper Privilege Management
CWE-538
Insertion of Sensitive Information into Externally-Accessible File or Directory

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object