Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives_CVE-2026-46612

{
    "lastseen": "",
    "description": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP \u2014 including any other workload in the same Kubernetes cluster \u2014 could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.",
    "published": "2026-06-10T17:19:38.139Z",
    "modified": "2026-06-10T18:30:03.980Z",
    "type": "cve",
    "title": "Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives",
    "source": "GitHub_M",
    "references": "https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6\nhttps://github.com/fission/fission/pull/3365\nhttps://github.com/fission/fission/pull/3368\nhttps://github.com/fission/fission/releases/tag/v1.23.0",
    "id": "CVE-2026-46612",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "fission fission < 1.23.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "fission",
    "version": "< 1.23.0",
    "vendor": "fission",
    "ai_description": "Unauthenticated CRUD operations on Fission StorageSvc archives",
    "ai_severity": "High",
    "ai_vendor": "Fission",
    "ai_product": "Fission StorageSvc",
    "ai_version": "< 1.23.0",
    "ai_score": 8.8
}