Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.
Published: 2026-06-10
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when Fission builder pods created before version 1.24.0 automatically mount the fission‑builder ServiceAccount token into every container, including user‑supplied builder images. This exposes credentials that let the builder container authenticate to the Kubernetes API with the fission‑builder ServiceAccount, potentially granting unauthorized privilege escalation. The issue aligns with CWE‑250, CWE‑269, and CWE‑538.

Affected Systems

Any deployment of Fission older than v1.24.0 is affected. The product is the Fission serverless framework, and any instance running a version prior to 1.24.0 may allow this token leakage.

Risk and Exploitability

The CVSS score of 4.9 rates the vulnerability as moderate, and no EPSS score is available, indicating a lack of publicly documented exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to control or influence the builder pod environment, which is generally limited to users who can deploy or modify functions. The risk is therefore moderate, and applying the patch that removes token auto‑mounting is the recommended mitigation.

Generated by OpenCVE AI on June 10, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to v1.24.0 or newer to eliminate automatic ServiceAccount token mounting.
  • If upgrading cannot be performed immediately, edit existing builder pod templates to set AutomountServiceAccountToken: false.
  • Restrict the fission‑builder ServiceAccount to only the permissions required for its role and apply appropriate role‑based access control rules so that even if a token is exposed, privilege escalation is limited.

Generated by OpenCVE AI on June 10, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.
Title Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container
Weaknesses CWE-250
CWE-269
CWE-538
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:42:31.704Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50565

cve-icon Vulnrichment

Updated: 2026-06-10T18:41:53.748Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:12.877

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses