216.73.216.170

CVE-2026-46612

· Published 10/06/2026 18:17 · Modified 10/06/2026 19:37

Labels: CVE-2026-46612 2026-06-10CVE-2026-46612CWE-306[email protected]

Essential information

Published
10/06/2026 18:17
Modified
10/06/2026 19:37
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
fission / fission cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:*
fission / storagesvc cpe:2.3:a:fission:storagesvc:*:*:*:*:*:*:*:*

References