CVE-2026-49821 HIGH

CVE-2026-49821: Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration

Vendor Fission
Product fission
Weakness CWE-441
Published June 10, 2026
Last update June 10, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 10, 2026 Record updated