PatchSiren cyber security CVE debrief
CVE-2026-46617 fission CVE debrief
CVE-2026-46617 is a high-severity vulnerability in the Fission Kubernetes-native serverless framework. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps. This allowed user-supplied function code to inherit the same Kubernetes API privileges and read any secret or configmap in the function's namespace, far beyond the Function.spec.secrets allowlist. The issue has been patched in version 1.23.0.
- Vendor
- fission
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of the Fission Kubernetes-native serverless framework, particularly those who have not upgraded to version 1.23.0 or later.
Technical summary
Fission runtime pods were created with ServiceAccountName: fission-fetcher, which had namespace-wide get permissions on secrets and configmaps. User-supplied function code could access /var/run/secrets/kubernetes.io/serviceaccount/token, allowing it to read any secret or configmap in the function's namespace.
Defensive priority
High
Recommended defensive actions
- Upgrade to Fission version 1.23.0 or later.
- Review and restrict ServiceAccount permissions for fission-fetcher.
- Limit access to sensitive data and secrets in the function's namespace.
Evidence notes
CVE-2026-46617 has a CVSS score of 8.7 and is considered HIGH severity. The vulnerability was patched in Fission version 1.23.0.
Official resources
CVE-2026-46617 was published on 2026-06-10T18:17:05.720Z and modified on 2026-06-10T19:37:41.437Z.