CVE-2026-46614
CRITICALFission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Title source: cnaDescription
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/pull/3365
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/pull/3369
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/releases/tag/v1.23.0
Scores
CVSS v3
9.8
EPSS
0.0035
EPSS Percentile
26.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
CWE-862
Status
published
Products (2)
fission/fission
0 - 1.23.0Go
fission/fission
< 1.23.0
Published
Jun 10, 2026
Tracked Since
Jun 11, 2026