HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46617Published Modified CNA GitHub_M

CVE-2026-46617: Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a Kubernetes service account token exposure in Fission, the open-source serverless framework for Kubernetes. The vulnerability is reachable over the network with no authentication required, because user-supplied function code runs inside a runtime pod that automounts the fission-fetcher service account token, giving that code direct access to the Kubernetes API with namespace-wide privileges. Successful exploitation allows an attacker to read any secret or configmap in the function namespace, far beyond what the function specification permits. A patched-image rebuild at version 1.23.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Fission runtime images, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) and weights it against each environment's compliance policy to determine routing priority; per-organization routing rules direct the finding to the appropriate team inbox within each customer org.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, the finding remains open and active in each affected environment's queue.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The function endpoint is exposed over the network, so an attacker can deliver malicious function code by invoking or deploying a function remotely without requiring local or adjacent-network access.

  • AuthenticationNot required

    No credentials are needed to exploit this vulnerability; the fission-fetcher token is automounted unconditionally into every runtime pod regardless of who submitted the function.

  • Victim interactionNot required

    No user or administrator action is needed after function deployment; the token is available to function code immediately at runtime without any additional trigger.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the token path is fixed and predictable, and no race conditions or special memory layout requirements exist.

Blast Radius

  • Reads any Kubernetes Secret in the function namespace, including database passwords, API keys, and TLS certificates stored there.
  • Reads any ConfigMap in the function namespace, including environment-specific configuration that may contain internal service endpoints or feature flags.
  • Bypasses the Function.spec.secrets allowlist entirely, so access is not limited to secrets the function owner explicitly declared.
  • Enables lateral movement within the namespace by using harvested credentials to authenticate to other services or APIs reachable from that namespace.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-46617 at this time, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild at the fix version the moment one becomes available upstream. While the vulnerability remains unpatched, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict egress from function pods to the Kubernetes API server, Kubernetes admission policies (such as a mutating webhook or OPA Gatekeeper rule) that strip automountServiceAccountToken from Fission runtime pod specs, and namespace-scoped RBAC audits to confirm the fission-fetcher role binding is scoped as narrowly as possible. These compensating-control recommendations are surfaced in the finding detail within each HarborGuard environment. For customers with auto-remediation enabled, HarborGuard will automatically open a rebuild and a PR against affected workloads as soon as version 1.23.0 or a later fix version is confirmed upstream.

See how HarborGuard automates this
Affected packages
  • fission / fission
    < 1.23.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References