CVE-2026-46614

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/fission/fission/pull/3365
https://github.com/fission/fission/pull/3369
https://github.com/fission/fission/releases/tag/v1.23.0
https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8

Configurations

No configuration.

History

10 Jun 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-10 18:17

Updated : 2026-06-10 19:37

NVD link : CVE-2026-46614

Mitre link : CVE-2026-46614

CVE.ORG link : CVE-2026-46614

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-862

Missing Authorization

9.8 /10