CVE-2026-50545

CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape

Detects exploitation of CVE-2026-50545, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0) where an attacker with permissions to create or modify Fission Environment CRDs can inject arbitrary PodSpec fields. This enables mounting host paths, disabling securityContext constraints, running privileged containers, or escaping to the underlying Kubernetes node, potentially resulting in full cluster takeover. CVSS 9.9.

Vulnerability Intelligence

Public PoC

What is CVE-2026-50545 CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape?

CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape (CVE-2026-50545) maps to the Privilege Escalation and Lateral Movement and Impact tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape, covering the data sources and telemetry it touches: Azure Kubernetes Service, Kubernetes Audit Logs, Microsoft Defender for Cloud. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Impact
Microsoft Sentinel / Defender
kusto
union
    AuditLogs,
    AzureDiagnostics
| where Category == "kube-audit"
| extend log = parse_json(log_s)
| where log.verb in ("create", "update", "patch")
  and log.objectRef.resource == "environments"
  and log.objectRef.apiGroup has "fission.io"
| extend requestObject = parse_json(tostring(log.requestObject))
| extend podSpec = requestObject.spec.runtime.podspec
| where isnotnull(podSpec)
  and (
    podSpec.hostPID == true
    or podSpec.hostNetwork == true
    or podSpec.hostIPC == true
    or isnotnull(podSpec.volumes)
    or (podSpec.securityContext.privileged == true)
    or isnotnull(podSpec.initContainers)
    or isnotnull(podSpec.tolerations)
    or isnotnull(podSpec.nodeSelector)
  )
| extend actor = tostring(log.user.username)
| extend sourceIP = tostring(log.sourceIPs[0])
| extend targetNamespace = tostring(log.objectRef.namespace)
| extend environmentName = tostring(log.objectRef.name)
| project TimeGenerated, actor, sourceIP, targetNamespace, environmentName, podSpec, log.verb

Detects creation or modification of Fission Environment CRDs containing suspicious PodSpec fields such as hostPID, hostNetwork, hostIPC, privileged containers, or host volume mounts — indicators of CVE-2026-50545 exploitation via Kubernetes audit logs.

critical severity high confidence

Data Sources

Azure Kubernetes Service Kubernetes Audit Logs Microsoft Defender for Cloud

Required Tables

AuditLogs AzureDiagnostics

False Positives

  • Legitimate Fission administrators deploying environments with custom podSpec fields for performance reasons
  • Infrastructure-as-code pipelines applying templated Fission environment manifests with host networking for specific use cases
  • Security tooling or admission webhooks performing test mutations against Fission CRDs in staging clusters

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape (CVE-2026-50545) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fission Environment CRD HostPID Injection

    Expected signal: Kubernetes audit log entry: verb=create, objectRef.resource=environments, objectRef.namespace=fission, requestObject containing spec.runtime.podspec.hostPID=true and securityContext.privileged=true

  2. Test 2Fission Environment HostPath Volume Mount for Node Escape

    Expected signal: Kubernetes audit log showing spec.runtime.podspec.volumes[].hostPath.path='/' in the Fission Environment requestObject

  3. Test 3Fission Function Execution with Injected Privileged Container

    Expected signal: Kubernetes audit events for Environment create (with hostIPC/privileged), Function create referencing it, and pod create in fission-function namespace with SecurityContext.privileged=true; CrowdStrike ProcessRollup2 events from the Fission executor with privileged container indicators

Unlock Pro Content

Get the full detection package for CVE-2026-50545 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections