External risk intelligence

Fission Router Insecure Function Invocation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46614

A critical vulnerability in the Fission serverless framework allows unauthenticated callers to invoke any function by guessing its name and namespace, bypassing intended access controls. This bypass occurs because the Fission router registers internal routes for all functions, regardless of HTTP triggers. If the router

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-46614

The vulnerability exists in the Fission router component, which is designed to handle and route HTTP traffic for serverless functions. Because this router serves as the primary ingress point for functions and is intended to be reachable to process incoming requests, it is commonly deployed as an internet-facing or network-accessible service in Kubernetes environments.

PCI scan relevance

PCI Relevance for CVE-2026-46614

Yes

CVE-2026-46614 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Fission allows unauthenticated access to any function by bypassing host and path restrictions, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in the Fission serverless framework for Kubernetes. It allows unauthorized access to functions by bypassing configured restrictions, potentially leading to unintended data exposure or manipulation. The main concern is confirming relevance and exposure within your environment.

  • Unrestricted function access.
  • Fission is widely used for serverless applications.
  • Assess Fission's exposure and function access.

Attack Path

How an attacker could exploit the issue

An attacker can reach the Fission router, which is often exposed to the network, and guess the names of functions. If successful, the attacker can invoke these functions directly, bypassing intended access controls and security checks. This could lead to unauthorized access to function logic or data.

  • Network access to router required.
  • Guessing function metadata triggers vulnerability.
  • Unauthorized function execution risk.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, unauthenticated attackers could invoke any Fission function by guessing its name and namespace, bypassing intended access controls. This could expose function behavior and potentially impact service availability.

  • Function metadata could be exposed.
  • Invocation via guessed resource names.
  • Unintended function execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application and platform teams are likely responsible for addressing this vulnerability, as Fission operates within Kubernetes to manage serverless functions. The initial step is to identify all Fission router instances, confirm their exposure and criticality, and then engage the accountable owner to plan remediation, prioritizing instances that are externally reachable and business-critical.

  • Platform or application owners should own the issue.
  • Verify router reachability and function criticality.
  • Plan phased upgrades based on risk assessment.

Frequently asked questions

What is the Fission framework?

Fission is an open-source, serverless framework built natively for Kubernetes. Developers use it to simplify how they deploy and run functions or applications on a cluster without manually managing the underlying infrastructure. By automating the routing and scaling of code, it acts as a platform for executing event-driven or request-based tasks directly within your containerized environment.

What is the security weakness in CVE-2026-46614?

The issue involves Improper Access Control (CWE-284) and Missing Authorization for Function (CWE-862). Essentially, the Fission router automatically registered internal-style routes for every function regardless of whether a specific HTTPTrigger was defined. Because these routes were active, the system failed to enforce the security policies, such as path or method restrictions, that developers intended to apply to their functions.

How can an attacker trigger this vulnerability?

An attacker triggers the bug by sending a request to the Fission router and guessing the function's metadata, specifically its name and namespace. If the guess is correct, the router executes the function. Importantly, the vulnerability does not require the attacker to compromise an existing HTTPTrigger; the function can be invoked even if no formal trigger object is configured to expose it to the network.

Is my Fission deployment at risk?

Your risk depends on network reachability. According to Halo Surface Signal, the Fission router is designed to act as the primary ingress point for handling traffic, meaning it is often deployed to be network-accessible. If your router is reachable from untrusted networks or the public internet, an attacker can attempt to invoke functions directly, bypassing any security restrictions you assumed were in place.

What is the first step to fix this issue?

The primary resolution is to update your Fission deployment to version 1.23.0 or later, where this routing behavior has been patched. Start by identifying all Fission router instances in your Kubernetes environment, determine which ones are reachable over the network, and coordinate with your platform or application teams to prioritize the upgrade for those critical, exposed components.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished