CVE-2026-46614 is a critical-severity missing authorization vulnerability in github.com/fission/fission (go), affecting versions <= 1.22.0. It is fixed in 1.23.0.
Summary The Fission router registers an internal-style route, /fission-function/<name> and /fission-function/<ns>/<name>, for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. Affected component pkg/router/httpTriggers.go:280-284, internalRoute registration via utils.UrlForFunction(fn.Name, fn.Namespace), bound to the function handler. Impact An external caller who reaches the public router could: Invoke functions that the operator intentionally did not publish through an HTTPTrigger (e.g. functions used only as Kubewatcher / Timer / MessageQueue trigger targets, internal helpers, or sample functions). Bypass HTTPTrigger-level restrictions: a function published only on POST /api/v2/foo could still be invoked as GET /fission-function/<ns>/<name> with arbitrary headers and body. Enumerate function names by probing the response semantics (404 vs 200 vs 502 from cold start). In multi-tenant deployments this also crosses tenant boundaries when functions in tenant namespace B are reachable from tenant A's pods (or from anywhere on the internet if the router is ingress-exposed). Root cause /fission-function/... was historically used by internal trigger sources (timer, kubewatcher, mqtrigger) that share the cluster network with the router, but the route was registered on the public listener that also serves user HTTPTriggers. The two audiences were never separated. Fix Released in v1.23.0: PR #3369 (commit 814d232c): the router now runs two listeners, a public listener (port 8888, svc/router) that serves only user-defined HTTPTriggers, /router-healthz, and /_version, and an internal listener (port 8889, svc/router-internal, ClusterIP-only) that exclusively serves /fission-function/<ns>/<name>. The internal listener is wrapped with the pkg/auth/hmac.ServiceVerifier using the ServiceRouterInternal derived key, internal trigger sources sign their requests with a per-service HKDF-derived key from a cluster master secret. Empty master secret falls back to pass-through (preserves compatibility for clusters not yet rotating in a secret). PR #3365 (commit 0aa24788): added per-service NetworkPolicy resources to charts/fission-all, ensuring svc/router-internal is only reachable from kubewatcher, timer, mqtrigger, and mqt-keda pods inside the release namespace. The internal-listener path itself is still /fission-function/<ns>/<name>, only its location moved. Mitigation (until upgrade) Apply a NetworkPolicy to the Fission namespace that allows ingress to svc/router (port 8888) only from the consuming project's ingress controller, and blocks /fission-function/... at the ingress layer (path-based filter on the ingress). Avoid exposing the router directly via LoadBalancer/NodePort; front it with an ingress that path-filters /fission-function/. Treat function metadata.name as not a secret, names should not be the access control boundary.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-46614 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.23.0). Upgrading removes the vulnerable code path.
go
github.com/fission/fission (<= 1.22.0)github.com/fission/fission → 1.23.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46614 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46614 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46614 in your environment →Upgrade github.com/fission/fission to 1.23.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46614 is a critical-severity missing authorization vulnerability in github.com/fission/fission (go), affecting versions <= 1.22.0. It is fixed in 1.23.0. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-46614 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/fission/fission (go) versions <= 1.22.0 is affected.
Yes. CVE-2026-46614 is fixed in 1.23.0. Upgrade to this version or later.
Whether CVE-2026-46614 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/fission/fission to 1.23.0 or later.