CVE-2026-46612 - Vulnerability Details

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.

Published: 2026-06-10

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Fission's storagesvc component provided the /v1/archive endpoint with full create, read, update, and delete functionality without performing any authentication or authorization. An unauthenticated caller—including any pod that can reach the storagesvc ClusterIP—could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, or delete existing archives. This flaw is classified as an authentication failure (CWE‑306) and could be leveraged by an attacker to exfiltrate data or tamper with other users' functions.

Affected Systems

Fission, the Kubernetes-native serverless framework, is affected. The storage service within Fission, specifically the storagesvc component, includes the vulnerable endpoint prior to version 1.23.0. All releases before 1.23.0 are susceptible, while version 1.23.0 and later contain patched handlers that enforce authentication and authorization.

Risk and Exploitability

The issue carries a CVSS score of 8.8, indicating a high severity vulnerability. Although EPSS data is not available, the direct nature of the flaw and the wide exposure of the API make it highly exploitable in a multi-tenant cluster where workloads can easily communicate with the storagesvc ClusterIP. Because no additional credentials or privileges are required, an attacker with network access inside the cluster can immediately enumerate, retrieve, modify, or delete archives, potentially compromising other tenants or disrupting services. The vulnerability is not listed in CISA's KEV catalog, but its high CVSS score warrants urgent attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fission

affected

Version	Status	Constraints
`< 1.23.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fission installation to version 1.23.0 or later to apply the authentication and authorization fix for the storagesvc archive endpoints.
If an immediate upgrade is not feasible, implement Kubernetes NetworkPolicies to restrict access to the storagesvc ClusterIP so that only trusted services can reach the /v1/archive endpoints.
As a last resort, disable the vulnerable endpoints by removing the CRUD handlers from the storagesvc router or applying firewall/ingress rules that block traffic to /v1/archive and /v1/archives.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-chf8-4hv6-8pg6	Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/fission/fission/pull/3365
https://github.com/fission/fission/pull/3368
https://github.com/fission/fission/releases/tag/v1.23.0
https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6

History

Wed, 10 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.
Title		Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives
Weaknesses		CWE-306
References		https://github.com/fission/fission/pull/3365 https://github.com/fission/fission/pull/3368 https://github.com/fission/fission/releases/tag/v1.23.0 https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T17:19:38.139Z

Updated: 2026-06-10T18:30:03.980Z

Reserved: 2026-05-15T19:34:14.011Z

Link: CVE-2026-46612

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-06-10T18:17:05.427

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-46612

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object