SecuriTricks - CVE-2026-49821

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.

Product(s) Impacted

Vendor	Product	Versions
Fission	Fission	<1.24.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fission	fission	<1.24.0	/	/	/	/	/	/	/

References

https://github.com/fission/fission/pull/3379

https://github.com/fission/fission/releases/tag/v1.24.0

https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4

CVSS Score

7.7 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

View Vector String

Timeline

Published: June 10, 2026, 6:17 p.m.
Last Modified: June 10, 2026, 7:37 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-49821