PatchSiren cyber security CVE debrief
CVE-2026-46612 fission CVE debrief
A critical vulnerability was discovered in the Fission storagesvc component. Prior to version 1.23.0, the component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. This allows any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — to enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, an open-source, Kubernetes-native serverless framework, should be aware of this vulnerability if they are using versions prior to 1.23.0.
Technical summary
The Fission storagesvc component is vulnerable to an authentication bypass. The CVSS score for this vulnerability is 8.8, indicating a high severity. The CWE associated with this vulnerability is CWE-306.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Fission version 1.23.0 or later.
- Review and restrict access to the storagesvc ClusterIP.
- Implement proper authentication and authorization for archive CRUD operations.
Evidence notes
Evidence for this CVE comes from the official NVD database and Fission's own security advisories.
Official resources
CVE-2026-46612 was published on 2026-06-10T18:17:05.427Z and modified on 2026-06-10T19:37:41.437Z.