Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace — far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0.
CVE-2026-46617
This high-severity CVE scores 8.7 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.3%, top 81% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.7
- EG Score
- 8.7(medium)
- EPSS
- 19.5%
- KEV
- Not listed
Published
May 21, 2026
Last Modified
June 10, 2026
Advisory Details (3)
Auto-updated Jun 10, 2026Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read · Advisory · fission/fission · GitHub
https://github.com/fission/fission/security/advisories/GHSA-85g2-pmrx-r49qv1.23.0
Patch available: fission/fission v1.23.0
https://github.com/fission/fission/releases/tag/v1.23.0Drop fission-fetcher SA token from function user containers
Fix merged in fission/fission PR #3366 on 2026-05-08 — awaiting tagged release
https://github.com/fission/fission/pull/3366Vendor Advisories for CVE-2026-46617(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
Go(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| github.com/fission/fission | — | 1.23.0 | — |
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 6× in last 7d / 53× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 19:56 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 09:27 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 20:48 UTCEG score recompute
- 2026-06-27 07:59 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 19:21 UTCEG score recompute
- 2026-06-26 03:27 UTCEG score recompute
- 2026-06-25 14:15 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
Show 34 moreShow fewer
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 23:46 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 11:08 UTCEG score recompute
- 2026-06-16 19:52 UTCEG score recompute
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-16 04:44 UTCEG score recompute
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 15:37 UTCEG score recompute
- 2026-06-15 00:34 UTCEG score recompute
- 2026-06-14 11:56 UTCEG score recompute
- 2026-06-13 23:17 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 10:39 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 21:58 UTCEG score recompute
- 2026-06-12 09:18 UTCEG score recompute
- 2026-06-11 20:35 UTCEG score recompute
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 07:57 UTCEG score recompute
- 2026-06-10 19:19 UTCEG score recompute▲ 8.70
- 2026-06-10 19:18 UTCNVD updateCVSS v3 → 8.7 · CVSS v4 → 8.7
- 2026-05-24 06:11 UTCEG score recompute
Frequently asked(5)
What is CVE-2026-46617?
When was CVE-2026-46617 disclosed?
Is CVE-2026-46617 actively exploited?
What is the CVSS score of CVE-2026-46617?
How do I remediate CVE-2026-46617?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46617
Is Your Infrastructure Affected by CVE-2026-46617?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.