PatchSiren cyber security CVE debrief
CVE-2026-49822 fission CVE debrief
CVE-2026-49822 is a high-severity vulnerability in the Fission Kubernetes-native serverless framework. A low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission Kubernetes-native serverless framework, particularly those with low-privilege developers who can create KubernetesWatchTrigger (KWT) in their own namespace.
Technical summary
Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later.
- Restrict the creation of KubernetesWatchTrigger (KWT) to authorized users.
Evidence notes
The vulnerability has been patched in version 1.24.0. Users can refer to [ref-5](https://github.com/fission/fission/releases/tag/v1.24.0) for more information.
Official resources
CVE-2026-49822 was published on 2026-06-10T18:17:10.243Z and modified on 2026-06-10T19:37:41.437Z.