Fission Kubernetes Serverless Framework: 17 Vulnerabilities Disclosed Together
Key findings • Seventeen vulnerabilities disclosed for Fission on June 10, 2026, with Critical and High severities. • Multiple Critical flaws (CVSSv3 9.9) related to insecure PodSpec configur…
Key findings
- Seventeen vulnerabilities disclosed for Fission on June 10, 2026, with Critical and High severities.
- Multiple Critical flaws (CVSSv3 9.9) related to insecure PodSpec configurations and privilege escalation.
- Issues include improper namespace validation, insecure handling of archive entries, and potential for unauthorized access.
- Fixes are available in Fission versions 1.25.0, 1.24.0, and 1.23.0.
- Users are urged to update to the latest patched versions to secure their Fission deployments.
On June 10, 2026, a significant batch of seventeen vulnerabilities was disclosed for Fission, an open-source, Kubernetes-native serverless framework. These vulnerabilities, affecting various versions prior to 1.25.0, 1.24.0, and 1.23.0, span a range of security concerns including privilege escalation, insecure handling of user-supplied data, and improper validation of Kubernetes resources.
The disclosed issues highlight several critical areas of concern within the Fission framework. Notably, CVE-2026-50566, CVE-2026-50564, CVE-2026-50563, and CVE-2026-50545, all rated Critical with CVSSv3 scores of 9.9, stem from insufficient validation of podSpec configurations. These flaws could allow tenants to run privileged containers, escalate privileges, or inject dangerous fields into generated Kubernetes pods, undermining the isolation and security expected in a serverless environment.
Further exacerbating the risk, CVE-2026-46616, a Critical vulnerability (CVSSv3 9.8), arises from the Fission router registering internal routes for every Function object, potentially exposing them independently of intended access controls. This could lead to unauthorized access or manipulation of function endpoints.
Several high-severity vulnerabilities were also identified. CVE-2026-50570 and CVE-2026-49824 (CVSSv3 8.5) relate to inadequate PodSpec safety validation, while CVE-2026-49823 (CVSSv3 7.7) and CVE-2026-49821 (CVSSv3 7.7) involve namespace validation issues for Secrets, ConfigMaps, and Packages, potentially allowing cross-namespace access or manipulation. Additionally, CVE-2026-49822 (CVSSv3 7.7) could enable a low-privilege developer to establish a persistent surveillance channel via KubernetesWatchTriggers.
Medium severity issues include CVE-2026-50569 (CVSSv3 4.3), where certain HTTP trigger configurations were silently skipped, and CVE-2026-50565 (CVSSv3 4.9), which involved Fission builder pods being created with auto-mounted service account tokens, potentially granting unintended access to the Kubernetes API.
Low severity vulnerabilities, such as CVE-2026-50568 (CVSSv3 3.6), involved a lexical analysis issue in file path sanitization, which could be exploited in specific scenarios.
The Fission project has addressed these vulnerabilities through several releases. Versions 1.25.0, 1.24.0, and 1.23.0 contain fixes for the respective sets of vulnerabilities. Users are strongly advised to update to the latest stable version of Fission to mitigate these risks. The disclosures indicate a broad range of security improvements were implemented across these releases, addressing fundamental aspects of Kubernetes resource management and data handling within the serverless framework.
This coordinated disclosure of seventeen vulnerabilities underscores the importance of regular security audits and timely patching for complex systems like Kubernetes-native serverless platforms. Users of Fission should prioritize updating their deployments to the patched versions to protect against potential exploitation of these newly revealed weaknesses.