{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-49821: Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-49821","status":"final","version":"1","initial_release_date":"2026-06-10T17:21:48.470Z","current_release_date":"2026-06-10T18:35:23.917Z","revision_history":[{"date":"2026-06-10T17:21:48.470Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-49821 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-49821"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-49821"},{"category":"external","summary":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4","url":"https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4"},{"category":"external","summary":"https://github.com/fission/fission/pull/3379","url":"https://github.com/fission/fission/pull/3379"},{"category":"external","summary":"https://github.com/fission/fission/releases/tag/v1.24.0","url":"https://github.com/fission/fission/releases/tag/v1.24.0"}]},"product_tree":{"branches":[{"category":"vendor","name":"fission","branches":[{"category":"product_name","name":"fission","branches":[{"category":"product_version","name":"< 1.24.0","product":{"name":"fission fission < 1.24.0","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:fission:fission:\\<_1.24.0:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-49821","title":"Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration","notes":[{"category":"description","text":"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}