{"api_version":"1","generated_at":"2026-06-11T22:29:04+00:00","cve":"CVE-2026-49821","urls":{"html":"https://cve.report/CVE-2026-49821","api":"https://cve.report/api/cve/CVE-2026-49821.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-49821","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-49821"},"summary":{"title":"Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration","description":"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-10 18:17:10","updated_at":"2026-06-10 19:37:41"},"problem_types":["CWE-441","CWE-862","CWE-441 CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/fission/fission/releases/tag/v1.24.0","name":"https://github.com/fission/fission/releases/tag/v1.24.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/fission/fission/pull/3379","name":"https://github.com/fission/fission/pull/3379","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4","name":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49821","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49821","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"fission","product":"fission","version":"affected < 1.24.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49821","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-10T18:35:17.070325Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-10T18:35:23.917Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"fission","vendor":"fission","versions":[{"status":"affected","version":"< 1.24.0"}]}],"descriptions":[{"lang":"en","value":"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-441","description":"CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T17:21:48.470Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4","tags":["x_refsource_CONFIRM"],"url":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4"},{"name":"https://github.com/fission/fission/pull/3379","tags":["x_refsource_MISC"],"url":"https://github.com/fission/fission/pull/3379"},{"name":"https://github.com/fission/fission/releases/tag/v1.24.0","tags":["x_refsource_MISC"],"url":"https://github.com/fission/fission/releases/tag/v1.24.0"}],"source":{"advisory":"GHSA-vjhc-cf4p-72q4","discovery":"UNKNOWN"},"title":"Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-49821","datePublished":"2026-06-10T17:21:48.470Z","dateReserved":"2026-06-01T18:50:36.055Z","dateUpdated":"2026-06-10T18:35:23.917Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-10 18:17:10","lastModifiedDate":"2026-06-10 19:37:41","problem_types":["CWE-441","CWE-862","CWE-441 CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"49821","Ordinal":"1","Title":"Fission: Cross-namespace Environment reference in Package allows","CVE":"CVE-2026-49821","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"49821","Ordinal":"1","NoteData":"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.","Type":"Description","Title":"Fission: Cross-namespace Environment reference in Package allows"}]}}}