PatchSiren cyber security CVE debrief
CVE-2026-49823 fission CVE debrief
CVE-2026-49823 is a vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission prior to version 1.24.0 should be aware of this vulnerability and take steps to upgrade to the patched version.
Technical summary
The vulnerability has a CVSS score of 7.7 and a severity of HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The weaknesses associated with this vulnerability are CWE-284 and CWE-863.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later.
Evidence notes
The CVE record can be found at [cve-org]. The NVD detail can be found at [nvd]. The source item URL can be found at [source-item]. Additional information can be found at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-49823 was published on 2026-06-10T18:17:10.380Z and modified on 2026-06-10T19:37:41.437Z.