CVE-2026-50565

Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container

CVSS 4.9 MEDIUMEPSS 0.3%CWE-250 CWE-269 CWE-538

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Produtos afetados

fission · fission

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/fission/fission/pull/3390 https://github.com/fission/fission/releases/tag/v1.24.0 https://github.com/fission/fission/security/advisories/GHSA-8wcj-mfrc-jx5q