CVE-2026-50565
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Fission, a Kubernetes-native serverless framework, prior to version 1.24.0, created builder pods with auto-mounted service account tokens, potentially leading to unauthorized access to resources. This issue has been patched in version 1.24.0.
Risk Assessment
Organizations could be exposed to unauthorized access to Kubernetes resources through malicious builder images. Exploitation of this vulnerability could lead to serious security breaches.
Recommendation
It is recommended to upgrade Fission to version 1.24.0 or later to mitigate the risk associated with auto-mounting service account tokens.
Original NVD description (English source)
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. This issue has been patched in version 1.24.0.

