# [CRIT] [GHSA / CRITICAL] CVE-2026-46614: Fission router exposes /fission-function// on its public listener, allowing invocation of any function without an HTTPTrigger **Source:** GitHub Security Advisories **Published:** 2026-05-21 **Article:** https://github.com/advisories/GHSA-3g33-6vg6-27m8 ## Threat Profile Fission router exposes /fission-function// on its public listener, allowing invocation of any function without an HTTPTrigger ### Summary The Fission router registers an internal-style route — `/fission-function/` and `/fission-function//` — for every `Function` object, independent of whether any `HTTPTrigger` exists for that function. The route was mounted on the same listener as user-defined `HTTPTrigger`s (`svc/router`, port 8888), so any caller who could reach the… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46614` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1133** — External Remote Services - **T1595.003** — Active Scanning: Wordlist Scanning - **T1083** — File and Directory Discovery ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### CVE-2026-46614: Unauthorized /fission-function/ invocation on Fission router public listener (port 8888) `UC_227_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count from datamodel=Web where Web.url="*/fission-function/*" by _time, Web.src, Web.dest, Web.dest_port, Web.url, Web.http_method, Web.status, Web.http_user_agent | `drop_dm_object_name(Web)` | eval dest_port=coalesce(dest_port,"unknown") | where (dest_port="8888" OR dest_port="unknown") AND status!="404" | eval reason=case(status=="200","Successful unauthorized invocation",status=="502","Cold-start invocation (function exists)",status=="401","Auth challenge (post-patch)",true(),"Other - verify manually") | table _time, src, dest, dest_port, http_method, url, status, reason, http_user_agent ``` ### Fission Function Name Enumeration via /fission-function/ Probing (CVE-2026-46614 recon) `UC_227_2` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t dc(Web.url) as UniqueFunctionPaths, count as TotalRequests, dc(eval(if(Web.status=="200" OR Web.status=="502", Web.url, null()))) as HitFunctions, dc(eval(if(Web.status=="404", Web.url, null()))) as MissFunctions, values(Web.http_user_agent) as UserAgents, values(Web.dest) as Routers from datamodel=Web where Web.url="*/fission-function/*" by _time span=10m, Web.src | `drop_dm_object_name(Web)` | where UniqueFunctionPaths >= 5 AND MissFunctions >= 3 | eval EnumerationConfidence=case(HitFunctions>0 AND MissFunctions>=3,"High - mixed 200/502 hits with 404 misses",MissFunctions>=10,"Medium - heavy 404 probing",true(),"Low") | table _time, src, UniqueFunctionPaths, TotalRequests, HitFunctions, MissFunctions, EnumerationConfidence, Routers, UserAgents ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46614` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.