CVE Catalog

CVE-2026-46614

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

13th percentile — higher than 13% of all known CVEs

Summary

Fission, a serverless framework for Kubernetes, prior to version 1.23.0 registered internal routes for function objects, allowing them to be invoked without proper permissions. This enabled attackers to call functions by guessing their names and namespaces.

Risk Assessment

Organizations could be exposed to unauthorized function invocations, leading to potential security breaches and uncontrolled access to resources.

Recommendation

It is recommended to upgrade Fission to version 1.23.0 or later to mitigate this vulnerability and implement additional security measures to protect functions.

Original NVD description (English source)

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS