CVE-2026-49823: Fission Cross-Namespace Package Read via Unvalidated PackageRef
A low-privilege Fission function author in one Kubernetes namespace could read the source code and embedded secrets of any Package in any other namespace by setting a single field the admission webhoo
The problem
Fission's admission webhook validated that Secret and ConfigMap references stay in the function's own namespace, but applied no equivalent check to `spec.package.packageref.namespace`.
An attacker with only `functions.fission.io/create` in their namespace could point that field at any other namespace. On invocation, the `fission-fetcher` sidecar reads the victim Package using its cluster-wide `get packages` permission and writes the archive to `/userfunc/deployarchive` inside the attacker's pool pod, exposing source code and embedded credentials.
Proof of concept
A working proof-of-concept for CVE-2026-49823 in github.com/fission/fission, with the exact payload below.
apiVersion: fission.io/v1
kind: Function
metadata:
name: exfil-fn
namespace: attacker-ns # attacker's own namespace (they have create here)
spec:
environment:
name: python
namespace: attacker-ns
package:
packageref:
name: victim-secret-package
namespace: victim-ns # <-- cross-namespace ref; webhook did NOT block this pre-patch
resourceversion: ""
resources: {}Before PR #3389, `pkg/webhook/function.go::Validate` checked `spec.secrets[*].namespace` and `spec.configmaps[*].namespace` against `metadata.namespace`, but contained no parallel check for `spec.package.packageref.namespace`. The patch adds exactly that check, rejecting any Function where those two values differ (an empty `packageref.namespace` is still accepted because controllers default it to the function's namespace).
The root cause is an incomplete namespace-isolation pattern (CWE-284, CWE-863): the developer applied the guard to two of the three reference types and missed the third. Because `fission-fetcher` holds `get packages` across every configured function namespace, the missing check was the only isolation boundary between tenants.
The fix
Upgrade to Fission v1.24.0 (PR #3389, commit 80e7ba55). The patched webhook rejects Function creation or update when `spec.package.packageref.namespace` is non-empty and differs from `metadata.namespace`. Functions that relied on cross-namespace Package references must be restructured so the Package lives in the same namespace as the Function.
Related research
- high · 8.5CVE-2026-49824CVE-2026-49824: Fission Cross-Namespace Environment Reference via Unvalidated EnvironmentRef
- high · 8.1Fission MessageQueueTrigger Secret Exfiltration and PodSpec Injection
- high · 7.7CVE-2026-49822CVE-2026-49822: Fission KubernetesWatchTrigger Cross-Namespace Event Leakage
- critical · 9.9CVE-2026-50545CVE-2026-50545: Fission Environment PodSpec Injection Leading to Node Escape and Cluster Takeover