Fission: Cross-namespace Environment reference in Package allows build-time command execution...

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.

Basic Information

ID CVE-2026-49821

Source GitHub_M

Published Jun 10, 2026 at 17:21

Modified Jun 10, 2026 at 18:35

Affected Product

Vendor fission

Product fission

Version < 1.24.0

Affected Versions fission fission < 1.24.0

CWE Classification

CWE-441 CWE-862

References

{
    "lastseen": "",
    "description": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.",
    "published": "2026-06-10T17:21:48.470Z",
    "modified": "2026-06-10T18:35:23.917Z",
    "type": "cve",
    "title": "Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration",
    "source": "GitHub_M",
    "references": "https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4\nhttps://github.com/fission/fission/pull/3379\nhttps://github.com/fission/fission/releases/tag/v1.24.0",
    "id": "CVE-2026-49821",
    "bulletinFamily": "",
    "cwe": [
        "CWE-441",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "fission fission < 1.24.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "fission",
    "version": "< 1.24.0",
    "vendor": "fission",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration_CVE-2026-49821