{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46612", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-15T19:34:14.011Z", "datePublished": "2026-06-10T17:19:38.139Z", "dateUpdated": "2026-06-12T03:55:18.611Z"}, "containers": {"cna": {"title": "Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6"}, {"name": "https://github.com/fission/fission/pull/3365", "tags": ["x_refsource_MISC"], "url": "https://github.com/fission/fission/pull/3365"}, {"name": "https://github.com/fission/fission/pull/3368", "tags": ["x_refsource_MISC"], "url": "https://github.com/fission/fission/pull/3368"}, {"name": "https://github.com/fission/fission/releases/tag/v1.23.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/fission/fission/releases/tag/v1.23.0"}], "affected": [{"vendor": "fission", "product": "fission", "versions": [{"version": "< 1.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T17:19:38.139Z"}, "descriptions": [{"lang": "en", "value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP \u2014 including any other workload in the same Kubernetes cluster \u2014 could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0."}], "source": {"advisory": "GHSA-chf8-4hv6-8pg6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-46612"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-12T03:55:18.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-46612", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-10T18:29:54.622023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T18:29:58.373Z"}}], "cna": {"title": "Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives", "source": {"advisory": "GHSA-chf8-4hv6-8pg6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "fission", "product": "fission", "versions": [{"status": "affected", "version": "< 1.23.0"}]}], "references": [{"url": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6", "name": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fission/fission/pull/3365", "name": "https://github.com/fission/fission/pull/3365", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fission/fission/pull/3368", "name": "https://github.com/fission/fission/pull/3368", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fission/fission/releases/tag/v1.23.0", "name": "https://github.com/fission/fission/releases/tag/v1.23.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP \u2014 including any other workload in the same Kubernetes cluster \u2014 could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T17:19:38.139Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46612", "state": "PUBLISHED", "dateUpdated": "2026-06-12T03:55:18.611Z", "dateReserved": "2026-05-15T19:34:14.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-10T17:19:38.139Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP \u2014 including any other workload in the same Kubernetes cluster \u2014 could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0."}], "id": "CVE-2026-46612", "lastModified": "2026-06-10T19:37:41.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-10T18:17:05.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fission/fission/pull/3365"}, {"source": "security-advisories@github.com", "url": "https://github.com/fission/fission/pull/3368"}, {"source": "security-advisories@github.com", "url": "https://github.com/fission/fission/releases/tag/v1.23.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "fission", "source": "cna", "vendor": "fission"}, "product": "fission", "vendor": "fission"}], "created": "2026-06-10T19:45:39.064757+00:00", "updated": "2026-06-11T10:41:30.701587+00:00", "vendors": ["fission", "fission$PRODUCT$fission"]}