PatchSiren cyber security CVE debrief
CVE-2026-49821 fission CVE debrief
CVE-2026-49821 is a high-severity vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The issue arises from the buildermgr controller processing Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This vulnerability has been patched in version 1.24.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, especially those who utilize the framework for deploying functions and applications on Kubernetes, should be aware of this vulnerability. Given its high CVSS score of 7.7, it is crucial for users to assess their exposure and take necessary actions.
Technical summary
The vulnerability exists in the buildermgr controller of Fission, where it fails to verify the namespace of Package.spec.environment with Package.metadata.namespace. This oversight could potentially allow for unauthorized access or modifications. The Common Vulnerabilities and Exposures (CVE) score for this issue is 7.7, indicating a high severity level. The vulnerability has been addressed in Fission version 1.24.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later to patch the vulnerability.
- Review and verify the namespace configurations for Package CRDs to ensure they match the expected settings.
Evidence notes
The CVE-2026-49821 vulnerability details were obtained from official sources, including the CVE record and NVD detail pages. Additional information was gathered from references provided by security advisories.
Official resources
CVE-2026-49821 was published on 2026-06-10T18:17:10.100Z and modified on 2026-06-10T19:37:41.437Z.