Improper Access Control

CVE-2026-46614

Low

0/10

Summary

The Fission router registers an internal-style route `/fission-function/<name>` and `/fission-function/<ns>/<name>` for every `Function` object, independent of whether any `HTTPTrigger` exists for that function. The route was mounted on the same listener as user-defined `HTTPTrigger`s (`svc/router`, port 8888), so any caller who could reach the router could invoke any function by guessing its `metadata.name` (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in `HTTPTrigger` objects. This issue affects Fission versions prior to 1.23.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-284 - Improper Access Control

Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.

References

Advisory Timeline

Published May 21, 2026

Improper Access Control

CVE-2026-46614

Summary

CWE-284 - Improper Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS