CVE-2026-46614

Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0

Description The Fission router registers internal routes '/fission-function/' and '/fission-function//' for every function object, regardless of whether an HTTPTrigger exists. Because these routes are mounted on the same listener as user-defined HTTPTriggers, an external caller can invoke any function by guessing its metadata.name and namespace. This allows attackers to bypass host, path, method, and method-allow-list restrictions, invoke functions not intended for public access (such as internal helpers or those triggered by timers), and enumerate function names by analyzing response semantics. In multi-tenant environments, this can lead to unauthorized access across tenant boundaries.

Recommendations Update to version 1.23.0. As a temporary workaround, apply a NetworkPolicy to the Fission namespace to allow ingress to svc/router (port 8888) only from the consuming project's ingress controller. As a temporary workaround, block the '/fission-function/...' path at the ingress layer using a path-based filter. As a temporary workaround, avoid exposing the router directly via LoadBalancer or NodePort and use an ingress that filters the '/fission-function/' path.