Vulnerability-Lookup

CVE-2026-46614 (GCVE-0-2026-46614)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:19 – Updated: 2026-06-10 18:44

Title

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

Summary

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-284 - Improper Access Control
CWE-862 - Missing Authorization

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/fission/fission/security/advis…	x_refsource_CONFIRM
https://github.com/fission/fission/pull/3365	x_refsource_MISC
https://github.com/fission/fission/pull/3369	x_refsource_MISC
https://github.com/fission/fission/releases/tag/v1.23.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
fission	fission	Affected: < 1.23.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46614",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:44:43.486692Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:44:54.697Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fission",
          "vendor": "fission",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.23.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route \u2014 /fission-function/\u003cname\u003e and /fission-function/\u003cns\u003e/\u003cname\u003e \u2014 for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:19:21.691Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8"
        },
        {
          "name": "https://github.com/fission/fission/pull/3365",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fission/fission/pull/3365"
        },
        {
          "name": "https://github.com/fission/fission/pull/3369",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fission/fission/pull/3369"
        },
        {
          "name": "https://github.com/fission/fission/releases/tag/v1.23.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fission/fission/releases/tag/v1.23.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3g33-6vg6-27m8",
        "discovery": "UNKNOWN"
      },
      "title": "Fission router exposes /fission-function/\u003cns\u003e/\u003cname\u003e on its public listener, allowing invocation of any function without an HTTPTrigger"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46614",
    "datePublished": "2026-06-10T17:19:21.691Z",
    "dateReserved": "2026-05-15T19:34:14.012Z",
    "dateUpdated": "2026-06-10T18:44:54.697Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46614\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T18:17:05.580\",\"lastModified\":\"2026-06-10T19:37:41.437\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route \u2014 /fission-function/\u003cname\u003e and /fission-function/\u003cns\u003e/\u003cname\u003e \u2014 for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/fission/fission/pull/3365\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/pull/3369\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/releases/tag/v1.23.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Fission router exposes /fission-function/\u003cns\u003e/\u003cname\u003e on its public listener, allowing invocation of any function without an HTTPTrigger\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-284\", \"lang\": \"en\", \"description\": \"CWE-284: Improper Access Control\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-862\", \"lang\": \"en\", \"description\": \"CWE-862: Missing Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8\"}, {\"name\": \"https://github.com/fission/fission/pull/3365\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fission/fission/pull/3365\"}, {\"name\": \"https://github.com/fission/fission/pull/3369\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fission/fission/pull/3369\"}, {\"name\": \"https://github.com/fission/fission/releases/tag/v1.23.0\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/fission/fission/releases/tag/v1.23.0\"}], \"affected\": [{\"vendor\": \"fission\", \"product\": \"fission\", \"versions\": [{\"version\": \"\u003c 1.23.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-10T17:19:21.691Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route \\u2014 /fission-function/\u003cname\u003e and /fission-function/\u003cns\u003e/\u003cname\u003e \\u2014 for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.\"}], \"source\": {\"advisory\": \"GHSA-3g33-6vg6-27m8\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46614\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-10T18:44:43.486692Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-10T18:44:51.554Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-46614\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-05-15T19:34:14.012Z\", \"datePublished\": \"2026-06-10T17:19:21.691Z\", \"dateUpdated\": \"2026-06-10T18:44:54.697Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-46614

Vulnerability from fkie_nvd - Published: 2026-06-10 18:17 - Updated: 2026-06-10 19:37

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/fission/fission/pull/3365
	security-advisories@github.com	https://github.com/fission/fission/pull/3369
	security-advisories@github.com	https://github.com/fission/fission/releases/tag/v1.23.0
	security-advisories@github.com	https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route \u2014 /fission-function/\u003cname\u003e and /fission-function/\u003cns\u003e/\u003cname\u003e \u2014 for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0."
    }
  ],
  "id": "CVE-2026-46614",
  "lastModified": "2026-06-10T19:37:41.437",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-10T18:17:05.580",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fission/fission/pull/3365"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fission/fission/pull/3369"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fission/fission/releases/tag/v1.23.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-3G33-6VG6-27M8

Vulnerability from github – Published: 2026-05-21 20:14 – Updated: 2026-06-10 18:41

Summary

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

Details

Summary

The Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects.

Affected component

pkg/router/httpTriggers.go:280-284 — internalRoute registration via utils.UrlForFunction(fn.Name, fn.Namespace), bound to the function handler.

Impact

An external caller who reaches the public router could:

Invoke functions that the operator intentionally did not publish through an HTTPTrigger (e.g. functions used only as Kubewatcher / Timer / MessageQueue trigger targets, internal helpers, or sample functions).
Bypass HTTPTrigger-level restrictions: a function published only on POST /api/v2/foo could still be invoked as GET /fission-function/<ns>/<name> with arbitrary headers and body.
Enumerate function names by probing the response semantics (404 vs 200 vs 502 from cold start).

In multi-tenant deployments this also crosses tenant boundaries when functions in tenant namespace B are reachable from tenant A's pods (or from anywhere on the internet if the router is ingress-exposed).

Root cause

/fission-function/... was historically used by internal trigger sources (timer, kubewatcher, mqtrigger) that share the cluster network with the router, but the route was registered on the public listener that also serves user HTTPTriggers. The two audiences were never separated.

Fix

Released in v1.23.0:

PR #3369 (commit 814d232c): the router now runs two listeners — a public listener (port 8888, svc/router) that serves only user-defined HTTPTriggers, /router-healthz, and /_version, and an internal listener (port 8889, svc/router-internal, ClusterIP-only) that exclusively serves /fission-function/<ns>/<name>. The internal listener is wrapped with the pkg/auth/hmac.ServiceVerifier using the ServiceRouterInternal derived key — internal trigger sources sign their requests with a per-service HKDF-derived key from a cluster master secret. Empty master secret falls back to pass-through (preserves compatibility for clusters not yet rotating in a secret).
PR #3365 (commit 0aa24788): added per-service NetworkPolicy resources to charts/fission-all, ensuring svc/router-internal is only reachable from kubewatcher, timer, mqtrigger, and mqt-keda pods inside the release namespace.
The internal-listener path itself is still /fission-function/<ns>/<name> — only its location moved.

Mitigation (until upgrade)

Apply a NetworkPolicy to the Fission namespace that allows ingress to svc/router (port 8888) only from the consuming project's ingress controller, and blocks /fission-function/... at the ingress layer (path-based filter on the ingress).
Avoid exposing the router directly via LoadBalancer/NodePort; front it with an ingress that path-filters /fission-function/.
Treat function metadata.name as not a secret — names should not be the access control boundary.

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.22.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fission/fission"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:14:51Z",
    "nvd_published_at": "2026-06-10T18:17:05Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe Fission router registers an internal-style route \u2014 `/fission-function/\u003cname\u003e` and `/fission-function/\u003cns\u003e/\u003cname\u003e` \u2014 for every `Function` object, independent of whether any `HTTPTrigger` exists for that function. The route was mounted on the same listener as user-defined `HTTPTrigger`s (`svc/router`, port 8888), so any caller who could reach the router could invoke any function by guessing its `metadata.name` (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in `HTTPTrigger` objects.\n\n### Affected component\n\n- `pkg/router/httpTriggers.go:280-284` \u2014 `internalRoute` registration via `utils.UrlForFunction(fn.Name, fn.Namespace)`, bound to the function handler.\n\n### Impact\n\nAn external caller who reaches the public router could:\n\n1. Invoke functions that the operator intentionally did not publish through an `HTTPTrigger` (e.g. functions used only as Kubewatcher / Timer / MessageQueue trigger targets, internal helpers, or sample functions).\n2. Bypass `HTTPTrigger`-level restrictions: a function published only on `POST /api/v2/foo` could still be invoked as `GET /fission-function/\u003cns\u003e/\u003cname\u003e` with arbitrary headers and body.\n3. Enumerate function names by probing the response semantics (404 vs 200 vs 502 from cold start).\n\nIn multi-tenant deployments this also crosses tenant boundaries when functions in tenant namespace B are reachable from tenant A\u0027s pods (or from anywhere on the internet if the router is ingress-exposed).\n\n### Root cause\n\n`/fission-function/...` was historically used by internal trigger sources (timer, kubewatcher, mqtrigger) that share the cluster network with the router, but the route was registered on the public listener that also serves user `HTTPTrigger`s. The two audiences were never separated.\n\n### Fix\n\nReleased in [v1.23.0](https://github.com/fission/fission/releases/tag/v1.23.0):\n\n- **PR #3369** (commit `814d232c`): the router now runs **two** listeners \u2014 a public listener (port 8888, `svc/router`) that serves only user-defined `HTTPTrigger`s, `/router-healthz`, and `/_version`, and an internal listener (port 8889, `svc/router-internal`, ClusterIP-only) that exclusively serves `/fission-function/\u003cns\u003e/\u003cname\u003e`. The internal listener is wrapped with the `pkg/auth/hmac.ServiceVerifier` using the `ServiceRouterInternal` derived key \u2014 internal trigger sources sign their requests with a per-service HKDF-derived key from a cluster master secret. Empty master secret falls back to pass-through (preserves compatibility for clusters not yet rotating in a secret).\n- **PR #3365** (commit `0aa24788`): added per-service `NetworkPolicy` resources to `charts/fission-all`, ensuring `svc/router-internal` is only reachable from `kubewatcher`, `timer`, `mqtrigger`, and `mqt-keda` pods inside the release namespace.\n- The internal-listener path itself is still **`/fission-function/\u003cns\u003e/\u003cname\u003e`** \u2014 only its location moved.\n\n### Mitigation (until upgrade)\n\n1. Apply a `NetworkPolicy` to the Fission namespace that allows ingress to `svc/router` (port 8888) only from the consuming project\u0027s ingress controller, and blocks `/fission-function/...` at the ingress layer (path-based filter on the ingress).\n2. Avoid exposing the router directly via LoadBalancer/NodePort; front it with an ingress that path-filters `/fission-function/`.\n3. Treat function `metadata.name` as **not** a secret \u2014 names should not be the access control boundary.",
  "id": "GHSA-3g33-6vg6-27m8",
  "modified": "2026-06-10T18:41:37Z",
  "published": "2026-05-21T20:14:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-3g33-6vg6-27m8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46614"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3369"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fission/fission"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/releases/tag/v1.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fission router exposes /fission-function/\u003cns\u003e/\u003cname\u003e on its public listener, allowing invocation of any function without an HTTPTrigger"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46614 (GCVE-0-2026-46614)

FKIE_CVE-2026-46614

GHSA-3G33-6VG6-27M8

Summary

Affected component

Impact

Root cause

Fix

Mitigation (until upgrade)

Tags

Sightings

Nomenclature