Summary A Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. Details A tenant with functi…
| CVE ID | CVE-2026-49823 |
| Vendor | go |
| Affected Product | github.com/fission/fission |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
PackageRef.Namespace was not.functions.fission.io/create in their own namespace could set spec.package.packageref.namespace to any other namespace. When the function is invoked, the fetcher sidecar reads the victim Package using thefission-fetcher service account's namespace-wide get packages permission and writes its contents to /userfunc/deployarchive inside the attacker's pool pod, exposing the victim's source code and any embedded credentials. The fission-fetcher SA holds get packages in every configured function namespace (granted by `charts/fission-all/templates/_function-access
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.