Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Description

Summary

Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests.

Affected component

  • pkg/executor/executortype/poolmgr/gp_deployment.go:154-156 — pool-manager runtime pod ServiceAccountName.
  • pkg/executor/executortype/newdeploy/newdeploy.go:225-227 — new-deploy runtime pod ServiceAccountName.
  • pkg/utils/serviceaccount.go:51-64fission-fetcher RBAC: namespace-wide get on secrets / configmaps.

Impact

A user able to deploy or update a function in any namespace where Fission runtime pods are scheduled could:

  1. Read every secret in that namespace (TLS keys, OIDC client secrets, database credentials, cloud provider credentials).
  2. Read every configmap in that namespace.
  3. Use those credentials to pivot to other Kubernetes resources or external systems the secrets unlock.

This violates the principle that Function.spec.secrets is the authoritative declaration of which secrets a function can read.

Root cause

The fetcher sidecar legitimately needs the SA token to call the Fission control plane and fetch package archives. Setting ServiceAccountName: fission-fetcher on the pod gives every container in the pod (including the user container) the automounted token. Kubernetes does not provide per-container service-account scoping inside a single pod, so the user container has to be moved into a separate identity / token-mount scheme.

Fix

Released in v1.23.0:

  • PR #3366 (commit fe1842ef):
  • The user function container now sets AutomountServiceAccountToken: false at the container level (via projected-volume token suppression), so the user container no longer sees the pod's SA token even though the fetcher sidecar still does.
  • The fetcher sidecar retains its existing token mount (separate projected volume) since it needs cluster API access for its own work.
  • For the few legitimate use cases where a function needs its own Kubernetes API access, the user is expected to mount a different ServiceAccount via Function.spec.podspec with the minimum necessary RBAC (documented separately).

Mitigation (until upgrade)

  1. Restrict who can create / update Function and Package CRDs in your cluster — treat the ability to ship function code as equivalent to namespace-wide secret read.
  2. Reduce the fission-fetcher ClusterRole / Role scope where possible (e.g. constrain it to specific named secrets via separate Role bindings).
  3. Add NetworkPolicy egress rules denying function pods access to the Kubernetes API server (this blunts the token even if it leaks).

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-21 20:16:12 UTC
Updated
2026-06-10 18:41:54 UTC
GitHub reviewed
2026-05-21 20:16:12 UTC
NVD published
2026-06-10

EPSS Score

Score Percentile
0.04% 11.92%

CVSS Scores

Base score Version Severity Vector
8.7 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-250 Execution with Unnecessary Privileges
CWE-269 Improper Privilege Management
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory

Credits

  • FORIMOC (finder)
  • Yuremin (finder)
  • sanketsudake (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/fission/fission <= 1.22.0 1.23.0

References

cvelogic Threat Intelligence