PatchSiren

fission CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Fission CVE published 2026-06-10

CVE-2026-50570

CVE-2026-50570 is a high-severity vulnerability in Fission, a Kubernetes-native serverless framework. The issue allows tenants to bypass security checks and run attacker-controlled code with elevated Linux capabilities. Fission versions prior to 1.25.0 are affected.

MEDIUM fission CVE published 2026-06-10

CVE-2026-50569

CVE-2026-50569 is a MEDIUM severity vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability allows an attacker to bypass URL-level checks when creating an HTTPTrigger via kubectl apply or a direct Kubernetes REST API call. This is due to the HTTPTriggerSpec.Validate() function not validating the RelativeURL and Prefix fields prior to version 1.25.0.

LOW fission CVE published 2026-06-10

CVE-2026-50568

CVE-2026-50568 is a path traversal vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability allows a tenant to induce a write or read outside the intended safe directory. This issue was patched in version 1.25.0.

CRITICAL fission CVE published 2026-06-10

CVE-2026-50566

CVE-2026-50566 is a critical vulnerability in Fission, a Kubernetes-native serverless framework. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege service account. This enables container-sandbox escape, h [truncated]

MEDIUM Fission CVE published 2026-06-10

CVE-2026-50565

A vulnerability was found in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false. This configuration allowed the kubelet to auto-mount the service-account token into every container in the pod, including the user-supplied builder image. The issue has b [truncated]

CRITICAL Fission CVE published 2026-06-10

CVE-2026-50564

CVE-2026-50564 is a critical security vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The issue allows for potential privilege escalation due to the Environment CRD exposing spec.runtime.podSpec and spec.builder.podSpec, which are merged into Kubernetes pod specs without adequate filtering or validation. This could enable an attacker to exploit the system by setting hostN [truncated]

CRITICAL fission CVE published 2026-06-10

CVE-2026-50563

CVE-2026-50563 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The issue allows a tenant to supply Function.spec.podspec directly, which is then merged into the executor-built podspec and used to create a Deployment. This could potentially allow an attacker to execute arbitrary code in the user's container image. The vulnerability has been patched in version [truncated]

CRITICAL fission CVE published 2026-06-10

CVE-2026-50545

CVE-2026-50545 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The vulnerability has a CVSS score of 9.9 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-50545). The Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. This i [truncated]

HIGH fission CVE published 2026-06-10

CVE-2026-49824

CVE-2026-49824 is a vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1. [truncated]

HIGH fission CVE published 2026-06-10

CVE-2026-49823

CVE-2026-49823 is a vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0.

HIGH fission CVE published 2026-06-10

CVE-2026-49822

CVE-2026-49822 is a high-severity vulnerability in the Fission Kubernetes-native serverless framework. A low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0.

HIGH fission CVE published 2026-06-10

CVE-2026-49821

CVE-2026-49821 is a high-severity vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The issue arises from the buildermgr controller processing Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This vulnerability has been patched in version 1.24.0.

MEDIUM fission CVE published 2026-06-10

CVE-2026-46618

CVE-2026-46618 is a security vulnerability in Fission, an open-source, Kubernetes-native serverless framework. Prior to version 1.23.0, the `pkg/builder/builder.go` file passed `Environment.spec.builder.command` directly into `exec.Command(...)` after a `strings.Fields` split, without validating the executable path or its arguments. This allows a user who can create or update Environment CRDs in a namespa [truncated]

HIGH fission CVE published 2026-06-10

CVE-2026-46617

CVE-2026-46617 is a high-severity vulnerability in the Fission Kubernetes-native serverless framework. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps. This allowed user-supplied function code to inherit the same Kubernetes API privileges and read any secret [truncated]

CRITICAL fission CVE published 2026-06-10

CVE-2026-46614

CVE-2026-46614 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The Fission router registers internal-style routes for every Function object, independent of whether any HTTPTrigger exists for that function. This allows any caller who can reach the router to invoke any function by guessing its metadata.name (and namespace), bypassing host / path / method / met [truncated]

HIGH fission CVE published 2026-06-10

CVE-2026-46612

A critical vulnerability was discovered in the Fission storagesvc component. Prior to version 1.23.0, the component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. This allows any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes clus [truncated]