CVE-2026-46617

HIGH

Fission < 1.23.0 Runtime Pods - Service Account Token Exposure

Title source: manual

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/fission/fission/security/advisories/GHSA-85g2-pmrx-r49q

X_Refsource_Misc x_refsource_misc

https://github.com/fission/fission/pull/3366

X_Refsource_Misc x_refsource_misc

https://github.com/fission/fission/releases/tag/v1.23.0

Scores

CVSS v4 8.7

EPSS 0.0028

EPSS Percentile 19.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-250 CWE-269 CWE-538

Status published

Products (2)

fission/fission 0 - 1.23.0Go

fission/fission < 1.23.0

Published Jun 10, 2026

Tracked Since Jun 11, 2026