CVE-2026-46614
Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/fission/fissionGo | < 1.23.0 | 1.23.0 |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-3g33-6vg6-27m8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-46614ghsaADVISORY
- github.com/fission/fission/pull/3365nvdWEB
- github.com/fission/fission/pull/3369nvdWEB
- github.com/fission/fission/releases/tag/v1.23.0nvdWEB
- github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8nvdWEB
News mentions
1- Fission Kubernetes Serverless Framework: 17 Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 10, 2026