GHSA-85G2-PMRX-R49Q

Vulnerability from github – Published: 2026-05-21 20:16 – Updated: 2026-05-21 20:16
VLAI
Summary
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
Details

Summary

Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests.

Affected component

  • pkg/executor/executortype/poolmgr/gp_deployment.go:154-156 — pool-manager runtime pod ServiceAccountName.
  • pkg/executor/executortype/newdeploy/newdeploy.go:225-227 — new-deploy runtime pod ServiceAccountName.
  • pkg/utils/serviceaccount.go:51-64fission-fetcher RBAC: namespace-wide get on secrets / configmaps.

Impact

A user able to deploy or update a function in any namespace where Fission runtime pods are scheduled could:

  1. Read every secret in that namespace (TLS keys, OIDC client secrets, database credentials, cloud provider credentials).
  2. Read every configmap in that namespace.
  3. Use those credentials to pivot to other Kubernetes resources or external systems the secrets unlock.

This violates the principle that Function.spec.secrets is the authoritative declaration of which secrets a function can read.

Root cause

The fetcher sidecar legitimately needs the SA token to call the Fission control plane and fetch package archives. Setting ServiceAccountName: fission-fetcher on the pod gives every container in the pod (including the user container) the automounted token. Kubernetes does not provide per-container service-account scoping inside a single pod, so the user container has to be moved into a separate identity / token-mount scheme.

Fix

Released in v1.23.0:

  • PR #3366 (commit fe1842ef):
  • The user function container now sets AutomountServiceAccountToken: false at the container level (via projected-volume token suppression), so the user container no longer sees the pod's SA token even though the fetcher sidecar still does.
  • The fetcher sidecar retains its existing token mount (separate projected volume) since it needs cluster API access for its own work.
  • For the few legitimate use cases where a function needs its own Kubernetes API access, the user is expected to mount a different ServiceAccount via Function.spec.podspec with the minimum necessary RBAC (documented separately).

Mitigation (until upgrade)

  1. Restrict who can create / update Function and Package CRDs in your cluster — treat the ability to ship function code as equivalent to namespace-wide secret read.
  2. Reduce the fission-fetcher ClusterRole / Role scope where possible (e.g. constrain it to specific named secrets via separate Role bindings).
  3. Add NetworkPolicy egress rules denying function pods access to the Kubernetes API server (this blunts the token even if it leaks).
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.22.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fission/fission"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-269",
      "CWE-538"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:16:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFission runtime pods were created with `ServiceAccountName: fission-fetcher`, and the `fission-fetcher` ServiceAccount was granted namespace-wide `get` on `secrets` and `configmaps` (it needs that to load function code, env vars, and config). The runtime pod\u0027s automounted token was reachable from inside the user\u0027s function container at `/var/run/secrets/kubernetes.io/serviceaccount/token`, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function\u0027s namespace \u2014 far beyond the `Function.spec.secrets` allowlist that the function specification suggests.\n\n### Affected component\n\n- `pkg/executor/executortype/poolmgr/gp_deployment.go:154-156` \u2014 pool-manager runtime pod `ServiceAccountName`.\n- `pkg/executor/executortype/newdeploy/newdeploy.go:225-227` \u2014 new-deploy runtime pod `ServiceAccountName`.\n- `pkg/utils/serviceaccount.go:51-64` \u2014 `fission-fetcher` RBAC: namespace-wide `get` on `secrets` / `configmaps`.\n\n### Impact\n\nA user able to deploy or update a function in any namespace where Fission runtime pods are scheduled could:\n\n1. Read every secret in that namespace (TLS keys, OIDC client secrets, database credentials, cloud provider credentials).\n2. Read every configmap in that namespace.\n3. Use those credentials to pivot to other Kubernetes resources or external systems the secrets unlock.\n\nThis violates the principle that `Function.spec.secrets` is the authoritative declaration of which secrets a function can read.\n\n### Root cause\n\nThe fetcher sidecar legitimately needs the SA token to call the Fission control plane and fetch package archives. Setting `ServiceAccountName: fission-fetcher` on the pod gives every container in the pod (including the user container) the automounted token. Kubernetes does not provide per-container service-account scoping inside a single pod, so the user container has to be moved into a separate identity / token-mount scheme.\n\n### Fix\n\nReleased in [v1.23.0](https://github.com/fission/fission/releases/tag/v1.23.0):\n\n- **PR #3366** (commit `fe1842ef`):\n  - The user function container now sets `AutomountServiceAccountToken: false` at the container level (via projected-volume token suppression), so the user container no longer sees the pod\u0027s SA token even though the fetcher sidecar still does.\n  - The fetcher sidecar retains its existing token mount (separate projected volume) since it needs cluster API access for its own work.\n  - For the few legitimate use cases where a function needs its own Kubernetes API access, the user is expected to mount a different ServiceAccount via `Function.spec.podspec` with the minimum necessary RBAC (documented separately).\n\n### Mitigation (until upgrade)\n\n1. Restrict who can create / update `Function` and `Package` CRDs in your cluster \u2014 treat the ability to ship function code as equivalent to namespace-wide secret read.\n2. Reduce the `fission-fetcher` ClusterRole / Role scope where possible (e.g. constrain it to specific named secrets via separate Role bindings).\n3. Add NetworkPolicy egress rules denying function pods access to the Kubernetes API server (this blunts the token even if it leaks).",
  "id": "GHSA-85g2-pmrx-r49q",
  "modified": "2026-05-21T20:16:12Z",
  "published": "2026-05-21T20:16:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-85g2-pmrx-r49q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3366"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fission/fission"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/releases/tag/v1.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Fission runtime pods automount the fission-fetcher service-account token into the user function   container, granting function code namespace-wide secret / configmap read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.