GHSA-gc3j-79f2-7vvw

Suggest an improvement
Source
https://github.com/advisories/GHSA-gc3j-79f2-7vvw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-gc3j-79f2-7vvw/GHSA-gc3j-79f2-7vvw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gc3j-79f2-7vvw
Aliases
  • CVE-2026-49822
Published
2026-06-30T18:16:03Z
Modified
2026-06-30T18:30:08.013684742Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
Details

Summary

A low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace.

Details

Two independent flaws compounded:

  1. pkg/kubewatcher/kubewatcher.go::createKubernetesWatch used w.Spec.Namespace (user-controlled) directly as the Watch target without checking it against w.Namespace (the KWT's own namespace). kubewatcher established the Watch using its cluster-scoped service account and serialized every Pod/Service/Job change event as full JSON over HTTP POST to the attacker's function.
  2. The validating webhook (pkg/webhook/kuberneteswatchtrigger.go) registered verbs=create only, so update/patch requests bypassed validation entirely.

A separate leak: an empty spec.namespace resolved to all namespaces via the controller's default, letting an attacker omit the field to surveil the entire cluster.

Impact

A tenant with kuberneteswatchtriggers.fission.io/create could continuously receive full event payloads for Pods, Services, and Jobs in any namespace — a persistent cross-tenant surveillance channel requiring no additional privileges.

Fix

Fixed in #3379 and released in v1.24.0.

  • The validating webhook marker is extended to verbs=create;update.
  • Validate rejects KubernetesWatchTrigger.spec.namespace != metadata.namespace.
  • A controller guard in createKubernetesWatch rejects cross-namespace targets that bypass admission and coerces an empty Spec.Namespace to the trigger's own namespace.

Behavioural change

KubernetesWatchTriggers with an unset spec.namespace now watch only their own namespace instead of all namespaces. Anyone relying on the previous all-namespaces behaviour must create a separate KWT per namespace.

Database specific
{
    "nvd_published_at": "2026-06-10T18:17:10Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-284",
        "CWE-862"
    ],
    "github_reviewed_at": "2026-06-30T18:16:03Z",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/fission/fission

Package

Name
github.com/fission/fission
View open source insights on deps.dev
Purl
pkg:golang/github.com/fission/fission

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-gc3j-79f2-7vvw/GHSA-gc3j-79f2-7vvw.json"
last_known_affected_version_range
"<= 1.23.0"