HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46612Published Modified CNA GitHub_M

CVE-2026-46612: Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a missing authentication vulnerability in Fission's StorageSvc component, an open-source Kubernetes-native serverless framework. The /v1/archive endpoints (GET, POST, DELETE, and list) are exposed over the network with no authentication check, meaning any low-privileged caller that can reach the storagesvc ClusterIP inside the same Kubernetes cluster can perform full CRUD operations on all function archives. Successful exploitation gives an attacker read, write, and delete access over every tenant's function archives, enabling data theft, code tampering, or destruction of deployed functions. Note: the description mentions a patch in version 1.23.0, but no official fix version has been published to the advisory record yet; HarborGuard is tracking the upstream advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46612 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Fission storagesvc component, across registries and CI pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weighting the result against each environment's compliance policy to flag images that fall outside acceptable risk thresholds. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been confirmed in the advisory record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment an official fix is published. In the meantime, compensating-control recommendations (described below) are surfaced for affected images.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the storagesvc ClusterIP over the network; in practice this means any workload running inside the same Kubernetes cluster satisfies this requirement.

  • AuthenticationRequired

    A low-privilege account or any cluster workload identity is sufficient; no admin credentials are needed, but the caller must have basic network access to the service.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends HTTP requests directly to the unauthenticated endpoints without requiring any user to take an action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is straightforward and condition-free with no race conditions, memory-layout dependencies, or special environmental setup required.

Blast Radius

  • Reads and downloads all function archives across every tenant, exposing proprietary business logic and embedded secrets in deployed functions.
  • Uploads arbitrary archive content, replacing legitimate function code with attacker-controlled binaries that execute on the next function invocation.
  • Deletes any or all function archives, destroying deployed workloads and causing immediate service disruption for affected tenants.
  • Enumerates all archive IDs, giving the attacker a full map of deployed functions to target in follow-on attacks.

How HarborGuard Handles This

Available on HarborGuard: images containing Fission storagesvc below version 1.23.0 are flagged as affected by CVE-2026-46612 as soon as they appear in a connected registry or pipeline scan. Because no fix version has been formally confirmed in the advisory record, HarborGuard will re-evaluate the advisory on each ingest cycle and make a patched-image rebuild available automatically the moment an upstream fix is published; customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While awaiting a confirmed patch, HarborGuard surfaces compensating-control recommendations: apply a Kubernetes NetworkPolicy to restrict access to the storagesvc ClusterIP to only the namespaces and service accounts that genuinely require it, add an ingress-layer authentication proxy (such as an Istio authorization policy or a sidecar enforcing mTLS) in front of the /v1/archive routes, and consider disabling or isolating the storagesvc pod entirely if archive functionality is not actively needed in the affected environment.

See how HarborGuard automates this
Affected packages
  • fission / fission
    < 1.23.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References