Fission disclosed a high-severity flaw, tracked as CVE-2026-46614 and GHSA-3g33-6vg6-27m8, that exposed internal per-function routes on the same public router listener used for normal HTTPTrigger traffic. In affected versions up to 1.22.0, any party with network access to the router could call /fission-function/<name> or /fission-function/<ns>/<name> directly, even if no HTTPTrigger existed for that function. The behavior bypassed host, path, and method restrictions enforced by HTTPTrigger, potentially exposing unpublished functions, enabling function-name enumeration, and creating cross-tenant access risks in multi-tenant or internet-facing deployments.
Fission fixed the issue in version 1.23.0 by separating public and internal router listeners, moving direct function invocation to an internal ClusterIP-only service on port 8889, and adding HMAC-based authentication for internal requests. The remediation also updated internal components including kubewatcher, timer, Kafka consumers, KEDA scaler components, fetcher, builder, and executor to use signed requests, while tightening NetworkPolicy controls and adding tests to block public access to /fission-function/. Until upgraded, operators were advised to restrict router ingress, block /fission-function/ paths at the ingress layer, and avoid exposing the router directly through LoadBalancer or NodePort.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A CVE entry documented the Fission vulnerability as CVE-2026-46614, describing how versions before 1.23.0 allowed anyone with network access to the router to invoke functions by guessing function name and namespace. The entry notes the issue was fixed in Fission 1.23.0.
Fission disclosed that versions up to 1.22.0 exposed internal /fission-function routes on the public router listener, allowing direct invocation of functions without an HTTPTrigger and bypassing host, path, and method restrictions. The advisory states the issue was fixed in version 1.23.0 with separate public and internal listeners, HMAC-based verification, and internal access controls.
Fission merged the follow-on hardening work for GHSA-3g33-6vg6-27m8 into main, completing changes that split public and internal router listeners, moved direct function routes to internal port 8889, added HMAC authentication for internal requests, and tightened service and NetworkPolicy exposure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.