{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fission--1.22.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fission (\u003c= 1.22.0)","fission/fission"],"_cs_severities":["high"],"_cs_tags":["kubernetes","serverless","authentication-bypass","code-execution"],"_cs_type":"threat","_cs_vendors":["Fission"],"content_html":"\u003cp\u003eFission is a serverless framework for Kubernetes. A critical vulnerability exists within the \u003ccode\u003estoragesvc\u003c/code\u003e component of Fission versions 1.22.0 and earlier. The \u003ccode\u003estoragesvc\u003c/code\u003e registers archive CRUD handlers (\u003ccode\u003e/v1/archive\u003c/code\u003e GET / POST / DELETE and \u003ccode\u003e/v1/archives\u003c/code\u003e list) directly on its HTTP router without any authentication or authorization checks. This oversight enables any workload within the same Kubernetes cluster to interact with the archive storage service, bypassing tenant boundaries. The vulnerability was addressed in Fission v1.23.0 via PR #3368, which implemented HMAC verification, and defense in depth was added via PR #3365 which implemented a NetworkPolicy for the service. This unauthenticated access allows attackers to enumerate, download, modify, or delete function deployment archives, impacting code integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a pod within the Kubernetes cluster hosting Fission.\u003c/li\u003e\n\u003cli\u003eThe compromised pod discovers the \u003ccode\u003estoragesvc\u003c/code\u003e ClusterIP.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/v1/archives\u003c/code\u003e to enumerate archive IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to \u003ccode\u003e/v1/archive/{archiveID}\u003c/code\u003e to download a function\u0026rsquo;s deployment archive, exposing source code and embedded secrets.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a DELETE request to \u003ccode\u003e/v1/archive/{archiveID}\u003c/code\u003e to remove a function archive, causing function specialization failures.\u003c/li\u003e\n\u003cli\u003eThe attacker can also send a POST request to \u003ccode\u003e/v1/archive\u003c/code\u003e to upload a malicious archive.\u003c/li\u003e\n\u003cli\u003eSubsequent function specializations fetch and execute the uploaded malicious archive.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the Fission environment, potentially leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a workload within the cluster to enumerate every function deployment archive, download sensitive function code and secrets, delete archives causing function failures, and upload malicious archives leading to code execution. This completely breaks tenant boundaries in multi-tenant Fission deployments. The absence of authentication on the \u003ccode\u003estoragesvc\u003c/code\u003e endpoint allows for trivial exploitation from any compromised workload within the cluster. This vulnerability is tracked as CVE-2026-46612.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fission to v1.23.0 or later to incorporate the authentication fix introduced in PR #3368.\u003c/li\u003e\n\u003cli\u003eEnable the Helm chart\u0026rsquo;s per-service NetworkPolicy (set \u003ccode\u003enetworkPolicy.enabled=true\u003c/code\u003e) as outlined in the Mitigation section of the advisory.\u003c/li\u003e\n\u003cli\u003eImplement egress/ingress restrictions for \u003ccode\u003estoragesvc\u003c/code\u003e to limit network access to only the executor, builder, and fetcher pods, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Access to Fission StorageSvc Archive Endpoint\u0026rdquo; to detect unauthorized access attempts to the \u003ccode\u003e/v1/archive\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Fission StorageSvc Archive Manipulation\u0026rdquo; to detect POST/DELETE attempts to the \u003ccode\u003e/v1/archive\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:08:37Z","date_published":"2026-05-21T20:08:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fission-storagesvc-auth-bypass/","summary":"The Fission `storagesvc` component exposes unauthenticated CRUD operations on the `/v1/archive` endpoint, allowing any workload within the same Kubernetes cluster to enumerate archive IDs, download archives, upload arbitrary content, and delete archives, leading to potential code and secret exposure and function disruption.","title":"Fission StorageSvc Unauthenticated Archive CRUD Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-fission-storagesvc-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Fission (\u003c= 1.22.0)","version":"https://jsonfeed.org/version/1.1"}