Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-3r8v-2xmj-5c39: Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook

0
High
Published: 06/30/2026 (06/30/2026, 18:16:33 UTC)
Source: GCVE Database
Product: github.com/fission/fission

Description

A vulnerability in Fission prior to version 1.24.0 allows a function author in one namespace to read the deployment archive, including source code and embedded secrets, of any Package in any other namespace. This occurs because the admission webhook did not validate the PackageRef.Namespace field, allowing cross-namespace Package references. The issue is fixed in version 1.24.0 by enforcing namespace validation in the admission webhook.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected software

Goghsa
github.com/fission/fission
Affected versions
<1.24.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:51:39 UTC

Technical Analysis

Fission Functions specify references to Secrets, ConfigMaps, and Packages. While Secret and ConfigMap references were namespace-validated by the admission webhook, PackageRef.Namespace was not. This allowed a tenant with create permissions in their namespace to specify a PackageRef.Namespace from any other namespace. When the function is invoked, the fetcher sidecar uses the fission-fetcher service account, which has namespace-wide get permissions on Packages, to read the victim Package and expose its contents inside the attacker's pod. The vulnerability enables unauthorized cross-namespace reading of Package deployment archives, potentially exposing source code and embedded credentials. The issue was fixed in pull request #3389 and released in Fission v1.24.0 by rejecting Functions with PackageRef.Namespace not matching the Function's namespace.

Potential Impact

An attacker with function creation rights in one namespace can read the deployment archives of Packages in other namespaces. This leads to unauthorized disclosure of source code and any embedded secrets contained within those Packages. The vulnerability breaks namespace isolation for Package references in Fission, potentially exposing sensitive information across tenant boundaries.

Mitigation Recommendations

Upgrade to Fission version 1.24.0 or later, where the admission webhook enforces that Function.spec.package.packageref.namespace must match the Function's namespace. Functions that specify a different namespace for PackageRef are rejected at admission, preventing cross-namespace Package reads. Patch status: fixed in v1.24.0.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-3r8v-2xmj-5c39
Osv Schema Version
1.4.0
Aliases
["CVE-2026-49823"]
Ecosystems
["Go"]
Database Specific Severity
HIGH
Cvss Version
3.1

Threat ID: 6a4452e927e9c797198e1a74

Added to database: 06/30/2026, 23:36:09 UTC

Last enriched: 06/30/2026, 23:51:39 UTC

Last updated: 06/30/2026, 23:51:39 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses