CVE-2026-49821 | Fission is an open-source, Kubernetes-native serverless fram… | CVSS 7.7 HIGH

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.

Metadata

CVE ID: CVE-2026-49821
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-01 18:50 UTC
Published: 2026-06-10 17:21 UTC
Last updated: 2026-06-10 18:35 UTC
Primary CWE: CWE-441
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy'…
Vendor / Product: fission / fission
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
fission	fission	—	< 1.24.0

Weakness (CWE)

CWE	Source	Description
CWE-441	cna	CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (3)

https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4 https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4
https://github.com/fission/fission/pull/3379 https://github.com/fission/fission/pull/3379
https://github.com/fission/fission/releases/tag/v1.24.0 https://github.com/fission/fission/releases/tag/v1.24.0