PatchSiren cyber security CVE debrief
CVE-2026-49824 fission CVE debrief
CVE-2026-49824 is a vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0. The vulnerability has a CVSS score of 8.5 and a severity of HIGH.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, an open-source, Kubernetes-native serverless framework, should be aware of this vulnerability and take steps to upgrade to version 1.24.0 or later.
Technical summary
The Fission Function admission webhook did not properly validate the namespace of spec.environment, allowing for potential security issues. This was patched in version 1.24.0.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later to patch the vulnerability.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found in the source references [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-49824 was published on 2026-06-10T18:17:10.517Z and modified on 2026-06-10T19:37:41.437Z.