216.73.217.172

CVE-2026-46617

· Published 10/06/2026 18:17 · Modified 10/06/2026 19:37

Labels: CVE-2026-46617 2026-06-10CVE-2026-46617CWE-250[email protected]

Essential information

Published
10/06/2026 18:17
Modified
10/06/2026 19:37
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
fission / fission cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:*
kubernetes / kubernetes cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*

References