CVE-2026-46617

Source
https://cve.org/CVERecord?id=CVE-2026-46617
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46617.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46617
Aliases
Published
2026-06-10T17:20:10.375Z
Modified
2026-07-08T08:13:37.392835219Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
Details

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46617.json",
    "cwe_ids": [
        "CWE-250",
        "CWE-269",
        "CWE-538"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/fission/fission

Affected ranges

Type
GIT
Repo
https://github.com/fission/fission
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.23.0"
        }
    ]
}

Affected versions

0.*
0.10.0
0.3.0
0.3.0-rc
0.4.0
0.4.0rc
0.4.1
0.6.0
0.6.1
0.7.2
1.*
1.0-rc1
1.13.0
1.13.1
1.14.0
1.14.1
1.3.0
1.6.0
1.7.0
1.7.0-rc.1
1.7.0-rc.2
1.7.1
1.8.0
Other
alpha20170124
kubecon
latest
nightly20170621
nightly20170705
v0.*
v0.2.0-20170901
v0.2.1
v1.*
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.15.0
v1.15.0-rc1
v1.15.0-rc2
v1.15.1
v1.16.0
v1.16.0-rc1
v1.16.0-rc2
v1.17.0
v1.17.0-rc1
v1.17.0-rc2
v1.18.0
v1.18.0-rc1
v1.18.0-rc2
v1.19.0
v1.19.0-rc1
v1.19.0-rc2
v1.20.0
v1.20.0-rc1
v1.20.0-rc2
v1.20.1
v1.20.2
v1.20.3
v1.20.4
v1.20.5
v1.21.0
v1.21.0-rc1
v1.21.0-rc2
v1.22.0
v1.22.0-rc1
v1.22.0-rc2
v1.6.0
v1.7.0
v1.7.0-rc.1
v1.7.0-rc.2
v1.7.1
v1.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46617.json"