GHSA-CVW6-GFVV-953Q
Vulnerability from github – Published: 2026-06-30 18:17 – Updated: 2026-06-30 18:17Summary
The Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on
spec.environment.namespace.
Details
An attacker with permission to create Functions in their own namespace could set spec.environment.namespace to any other tenant's namespace. poolmgr and newdeploy would then look up and use the victim's Environment CRD when scheduling
function pods, so the attacker's function executed inside the victim's container image.
This is useful both for code and credential theft — the victim's runtime image may contain hardcoded secrets — and for confused-deputy attacks where the victim's runtime image is a privileged sidecar.
Impact
A tenant with functions.fission.io/create could run their own function code inside another tenant's container image, breaking the namespace trust boundary that the Function specification implies.
Fix
Fixed in #3389 and released in v1.24.0.
- Admission webhook (
pkg/webhook/function.go::Validate) rejectsFunction.spec.environment.namespace != metadata.namespace. An empty namespace remains accepted (the CLI defaults it to the function's namespace). - Controller belt-and-braces: the same check runs before the cross-namespace
Environments(...).Getin poolmgrgetFunctionEnvand newdeployfnCreate/RefreshFuncPods, covering webhook-bypass clusters (failurePolicy=Ignore) and stale Function objects from upgrade-before-restart windows.
Behavioural change
Functions that explicitly set spec.environment.namespace to a different namespace are now rejected at admission. Empty-string remains accepted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49824"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:17:02Z",
"nvd_published_at": "2026-06-10T18:17:10Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe Fission Function admission webhook (`pkg/webhook/function.go`) validated that `spec.secrets[].namespace` and `spec.configmaps[].namespace` equalled the function\u0027s own namespace but performed no equivalent check on\n`spec.environment.namespace`.\n\n### Details\n\nAn attacker with permission to create Functions in their own namespace could set `spec.environment.namespace` to any other tenant\u0027s namespace. poolmgr and newdeploy would then look up and use the victim\u0027s Environment CRD when scheduling\nfunction pods, so the attacker\u0027s function executed inside the victim\u0027s container image.\n\nThis is useful both for code and credential theft \u2014 the victim\u0027s runtime image may contain hardcoded secrets \u2014 and for confused-deputy attacks where the victim\u0027s runtime image is a privileged sidecar.\n\n### Impact\n\nA tenant with `functions.fission.io/create` could run their own function code inside another tenant\u0027s container image, breaking the namespace trust boundary that the Function specification implies.\n\n### Fix\n\nFixed in [#3389](https://github.com/fission/fission/pull/3389) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).\n\n- **Admission webhook** (`pkg/webhook/function.go::Validate`) rejects `Function.spec.environment.namespace != metadata.namespace`. An empty namespace remains accepted (the CLI defaults it to the function\u0027s namespace).\n- **Controller belt-and-braces:** the same check runs before the cross-namespace `Environments(...).Get` in poolmgr `getFunctionEnv` and newdeploy `fnCreate` / `RefreshFuncPods`, covering webhook-bypass clusters (`failurePolicy=Ignore`)\nand stale Function objects from upgrade-before-restart windows.\n\n### Behavioural change\n\nFunctions that explicitly set `spec.environment.namespace` to a different namespace are now rejected at admission. Empty-string remains accepted.",
"id": "GHSA-cvw6-gfvv-953q",
"modified": "2026-06-30T18:17:02Z",
"published": "2026-06-30T18:17:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-cvw6-gfvv-953q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49824"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3389"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/80e7ba55228e1ef426f51353e25d2682ec61de34"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.