CVE-2026-46614
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route โ /fission-function/<name> and /fission-function/<ns>/<name> โ for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.
| CWE | CWE-284 CWE-862 |
| Vendor | fission |
| Product | fission |
| Published | Jun 10, 2026 |
| Last Updated | Jun 10, 2026 |
Get instant alerts for fission fission
Be the first to know when new critical vulnerabilities affecting fission fission are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H