Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.
Published: 2026-06-10
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The problem is that the Fission router automatically registers internal‑style routes for every function object, even if no HTTPTrigger is defined for that function. These routes are exposed on the public listener (svc/router, port 8888) that also serves user‑defined triggers. An external requester can call /fission‑function/<namespace>/<name> and invoke any function simply by knowing its metadata name. Because the request bypasses the host, path, method, and method‑allow‑list restrictions encoded in HTTPTrigger objects, attackers can execute code in the function’s runtime environment without being authenticated or authorized. This translates to a high‑severity remote code execution risk.

Affected Systems

Affected deployments are those running the Fission framework version 1.22.x or earlier, which automatically expose all functions on the public router. The vulnerability applies to the fission:fission product across all namespaces. Any deployment that has functions exposed by this router is at risk until the patch is applied.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score is not available, so the current exploit probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the public router listener; any external entity that can reach the router can invoke the function. No specific authentication or privilege levels are required, meaning that even unauthenticated traffic could exploit the flaw. The exposed endpoint permits unrestricted code execution within the function’s runtime, which could compromise the underlying Kubernetes cluster if the function uses privileged resources.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fission release 1.23.0 or later which removes the automatic route registration for functions without HTTPTrigger.
  • If an upgrade is not immediately possible, restrict network access to the router (port 8888) so that only trusted clients can reach it, effectively limiting the attack surface.
  • Ensure that all functions that should not be publicly invoked are either deleted or moved to namespaces that are not exposed through the router or receive explicit via HTTPTrigger definitions to enforce proper method and path controls.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g33-6vg6-27m8 Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.
Title Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T18:44:54.697Z

Reserved: 2026-05-15T19:34:14.012Z

Link: CVE-2026-46614

cve-icon Vulnrichment

Updated: 2026-06-10T18:44:51.554Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:05.580

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-46614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses