CVE-2026-46614EPSS p27.0%

CVE-2026-46614CVE-2026-46614

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/<name> and /fission-function/<ns>/<name> — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0.

Scoring

CVSS 9.8 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 27.0% · 2026-06-18T12:00:27Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-46617
CVE
CVE-2026-46612
CVE
CVE-2026-49824
CVE
CVE-2026-50569
CVE
CVE-2026-46618
CVE
CVE-2026-50563
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.