CVE-2026-46617

Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0

Description Runtime pods were configured with the fission-fetcher ServiceAccount, which possesses namespace-wide get permissions for secrets and configmaps. Because the service account token was automounted and accessible at /var/run/secrets/kubernetes.io/serviceaccount/token, user-supplied function code could inherit these privileges. This allows an attacker capable of deploying or updating a function to read all secrets (such as TLS keys, OIDC client secrets, and database credentials) and configmaps within the function's namespace, bypassing the restrictions defined in Function.spec.secrets.

Recommendations Update to version 1.23.0. Restrict permissions for creating or updating Function and Package Custom Resource Definitions (CRDs). Reduce the scope of the fission-fetcher ClusterRole or Role by constraining it to specific named secrets via separate Role bindings. Implement NetworkPolicy egress rules to deny function pods access to the Kubernetes API server.