PatchSiren cyber security CVE debrief
CVE-2026-46614 fission CVE debrief
CVE-2026-46614 is a critical vulnerability in Fission, an open-source, Kubernetes-native serverless framework. The Fission router registers internal-style routes for every Function object, independent of whether any HTTPTrigger exists for that function. This allows any caller who can reach the router to invoke any function by guessing its metadata.name (and namespace), bypassing host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. The issue has been patched in version 1.23.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Fission, an open-source, Kubernetes-native serverless framework, should be aware of this vulnerability if they are using versions prior to 1.23.0.
Technical summary
The Fission router registers internal-style routes — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object. This allows unauthorized invocation of functions by guessing their metadata.
Defensive priority
High
Recommended defensive actions
- Upgrade to Fission version 1.23.0 or later.
- Review and restrict access to the Fission router.
- Implement additional security measures to protect against unauthorized function invocation.
Evidence notes
CVE-2026-46614 has a CVSS score of 9.8 and is considered CRITICAL.
Official resources
CVE-2026-46614 was published on 2026-06-10T18:17:05.580Z and modified on 2026-06-10T19:37:41.437Z.