PatchSiren cyber security CVE debrief
CVE-2026-50565 Fission CVE debrief
A vulnerability was found in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false. This configuration allowed the kubelet to auto-mount the service-account token into every container in the pod, including the user-supplied builder image. The issue has been patched in version 1.24.0.
- Vendor
- Fission
- Product
- Fission
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission versions prior to 1.24.0 who deploy functions and applications on Kubernetes using the Fission framework.
Technical summary
Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false. This allowed the kubelet to auto-mount the service-account token into every container in the pod, including the user-supplied builder image.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Fission version 1.24.0 or later.
- Review and update existing Fission deployments to ensure AutomountServiceAccountToken: false is set for builder pods.
Evidence notes
The vulnerability was patched in version 1.24.0. References: [ref-5](https://github.com/fission/fission/releases/tag/v1.24.0), [ref-4](https://github.com/fission/fission/pull/3390), [ref-6](https://github.com/fission/fission/security/advisories/GHSA-8wcj-mfrc-jx5q).
Official resources
CVE-2026-50565 was published on [cvePublishedAt].