CVE Catalog

CVE-2026-50565

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

7th percentile — higher than 7% of all known CVEs

Summary

Fission, a Kubernetes-native serverless framework, prior to version 1.24.0, created builder pods with auto-mounted service account tokens, potentially leading to unauthorized access to resources. This issue has been patched in version 1.24.0.

Risk Assessment

Organizations could be exposed to unauthorized access to Kubernetes resources through malicious builder images. Exploitation of this vulnerability could lead to serious security breaches.

Recommendation

It is recommended to upgrade Fission to version 1.24.0 or later to mitigate the risk associated with auto-mounting service account tokens.

Original NVD description (English source)

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS