CVE-2026-49821
Deferred Deferred - Pending Action
Privilege Escalation in Fission Kubernetes Framework

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-49821
EUVD
EUVD-2026-36094
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
open_source_fission fission to 1.24.0 (exc)
fission fission to 1.24.0 (exc)
fission fission to 1.23.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49821 is a high-severity vulnerability in Fission, a Kubernetes-native serverless framework. The issue arises because the buildermgr controller processes Package Custom Resource Definitions (CRDs) without verifying that the environment namespace matches the package's namespace.

An attacker who has permission to create packages in their own namespace can exploit this by setting the environment namespace to another tenant's namespace. This causes the controller to use its privileged service account to fetch and execute build commands in the victim's builder pod.

By injecting malicious code, such as through an npm preinstall hook, the attacker can read sensitive tokens from the builder pod's logs, which allows them to access all Secrets and ConfigMaps in the victim's namespace.

This vulnerability was patched in version 1.24.0 by adding admission webhook checks and controller-level validation to prevent cross-namespace environment references.

Compliance Impact

CVE-2026-49821 allows an attacker to escalate privileges across Kubernetes namespaces by exploiting a lack of validation in the Fission buildermgr controller. This can lead to unauthorized access to sensitive information such as Secrets and ConfigMaps in victim namespaces.

Such unauthorized access to sensitive data could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

The vulnerability enables attackers to read bearer tokens and secrets, which could lead to data breaches or unauthorized data exposure, thereby impacting the confidentiality and integrity requirements of these regulations.

The fix implemented in version 1.24.0, including admission webhook validation and controller-level checks, helps mitigate these risks by preventing cross-namespace environment references and unauthorized access.

Impact Analysis

This vulnerability can lead to a serious security breach where an attacker can gain unauthorized access to sensitive information within other tenants' namespaces.

  • The attacker can execute arbitrary build commands in the victim's builder pod.
  • They can inject malicious code to extract bearer tokens from logs.
  • With these tokens, the attacker can access all Secrets and ConfigMaps in the victim's namespace, potentially exposing confidential data.

Overall, this can lead to cross-tenant compromise, data leakage, and unauthorized access to critical Kubernetes resources.

Detection Guidance

This vulnerability involves the buildermgr controller processing Package CRDs without verifying that the environment namespace matches the package's namespace, allowing cross-namespace environment references.

To detect this vulnerability, you can check if your Fission installation is running a version prior to 1.24.0, as versions up to 1.23.0 are affected.

Additionally, you can audit your Kubernetes cluster for Package CRDs where the spec.environment.namespace differs from the metadata.namespace, which indicates potential exploitation or misconfiguration.

  • Use kubectl to list Package CRDs and check for mismatched namespaces:
  • kubectl get packages --all-namespaces -o json | jq '.items[] | select(.spec.environment.namespace != .metadata.namespace) | {package: .metadata.name, packageNamespace: .metadata.namespace, environmentNamespace: .spec.environment.namespace}'
  • Check the version of Fission installed:
  • kubectl -n <fission-namespace> get deployment fission-buildermgr -o jsonpath='{.spec.template.spec.containers[0].image}'

Review builder pod logs for suspicious npm preinstall hooks or unexpected commands that could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Fission to version 1.24.0 or later, where the vulnerability has been patched.

The fix includes admission webhook checks and controller-level validation to reject cross-namespace environment references, preventing exploitation.

Until you can upgrade, restrict permissions to create Package CRDs to trusted users only, minimizing the risk of an attacker creating malicious packages.

Monitor builder pod logs for suspicious activity and consider implementing network segmentation or additional access controls to limit cross-namespace access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart