CVE-2026-46612 HIGH

CVE-2026-46612: Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

Vendor Fission
Product fission
Weakness CWE-306 · Missing auth
Published June 10, 2026
Last update June 12, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 12, 2026 Record updated