Executive Summary

CVE-2026-49822 is a high-severity vulnerability in Fission, a Kubernetes-native serverless framework. It allows a low-privilege developer who can create a KubernetesWatchTrigger (KWT) in their own namespace to establish a persistent surveillance channel over any other namespace. This means the attacker can receive full event payloads for Pods, Services, and Jobs in other namespaces without having additional privileges.

The vulnerability arises from two main flaws: first, the KWT's service account is cluster-scoped and can watch events in any namespace without proper restrictions; second, the validating webhook only checked the 'create' action, allowing 'update' and 'patch' requests to bypass validation. Additionally, if the spec.namespace field is empty, it defaults to watching all namespaces, enabling cluster-wide surveillance.

This issue was fixed in Fission version 1.24.0 by extending webhook validation to cover both 'create' and 'update' actions, enforcing that the spec.namespace matches the KWT's own namespace, and rejecting cross-namespace targets. Also, unset spec.namespace values now restrict the KWT to its own namespace instead of all namespaces.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to sensitive event data across Kubernetes namespaces. An attacker with low privileges can monitor events such as Pod, Service, and Job changes in other namespaces, potentially exposing confidential information.

The persistent surveillance channel created by this vulnerability can lead to information leakage and unauthorized visibility into other tenants' or teams' activities within the Kubernetes cluster.

Because the attack vector is network-based and requires only low privileges with no user interaction, it poses a significant risk in multi-tenant or shared Kubernetes environments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the KubernetesWatchTrigger (KWT) resource in Fission, where a low-privilege user can create or update KWTs with cross-namespace references to establish surveillance channels. Detection involves inspecting KWT resources for suspicious or unauthorized spec.namespace values that do not match the KWT's own namespace or are empty (which previously defaulted to watching all namespaces).

You can use kubectl commands to list KubernetesWatchTrigger resources and check their spec.namespace fields for anomalies. For example:

• kubectl get kuberneteswatchtriggers --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace} {.metadata.name} {.spec.namespace}{"\n"}{end}'

This command lists all KWTs across namespaces, showing their namespace, name, and the spec.namespace field. Any KWT where spec.namespace is empty or does not match the KWT's own namespace could indicate exploitation or misconfiguration related to this vulnerability.

Additionally, monitoring audit logs for creation or update requests to KWT resources with cross-namespace spec.namespace values or unusual update/patch operations bypassing validation could help detect attempts to exploit this issue.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Fission to version 1.24.0 or later, where this vulnerability has been patched.

The patch includes:

• Extending the admission webhook to validate both create and update verbs for KubernetesWatchTrigger resources.
• Rejecting KubernetesWatchTrigger resources with spec.namespace values that do not match the trigger's own namespace, preventing cross-namespace surveillance.
• Changing behavior so that empty spec.namespace fields default to the trigger's own namespace instead of all namespaces.

Other security improvements in the release include rejecting cross-namespace references in related resources and enhancing security context validations.

If immediate upgrade is not possible, consider auditing and restricting permissions to prevent low-privilege users from creating or updating KubernetesWatchTrigger resources, and monitor for suspicious KWT configurations as described.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-49822 allows unauthorized cross-namespace surveillance in the Fission serverless framework, enabling a low-privilege developer to access sensitive event data from other namespaces without proper authorization.

This unauthorized access to confidential data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to sensitive information and mandate the prevention of unauthorized data disclosure.

By enabling persistent surveillance channels across namespaces, the vulnerability undermines proper access control and data isolation, potentially exposing personal or sensitive data to unauthorized parties, thereby impacting compliance with these standards.

The patch in version 1.24.0 addresses these issues by enforcing namespace restrictions and validating cross-namespace references, helping to restore compliance with access control requirements.

Useful 0 Not Useful 0