Detect CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape in CrowdStrike LogScale
Detects exploitation of CVE-2026-50545, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0) where an attacker with permissions to create or modify Fission Environment CRDs can inject arbitrary PodSpec fields. This enables mounting host paths, disabling securityContext constraints, running privileged containers, or escaping to the underlying Kubernetes node, potentially resulting in full cluster takeover. CVSS 9.9.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=ProcessRollup2
| event_platform=Lin
| ImageFileName=/fission|executor|fetcher/i
| CommandLine=/(hostPID|hostNetwork|hostIPC|privileged.*true|hostPath)/i
| groupby([aid, ComputerName, UserName, ImageFileName, CommandLine])
| join
(
#event_simpleName=NetworkConnectIP4
| event_platform=Lin
| RemotePort in [443, 6443, 8443, 8080, 10250]
| groupby([aid, ComputerName, RemoteIP, RemotePort])
)
on aid
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort]) CrowdStrike Falcon Query Language detection correlating Fission executor or fetcher process events with suspicious PodSpec-related command arguments and outbound connections to Kubernetes API or kubelet ports, indicating potential CVE-2026-50545 post-exploitation activity.
Data Sources
Required Tables
False Positives & Tuning
- Fission executor containers performing legitimate function dispatch that triggers process events matching the pattern
- Kubernetes node-level monitoring agents scanning Fission environment configurations for compliance
- Container runtime (containerd/runc) operations spawning Fission-related processes during normal workload scheduling
Other platforms for CVE-2026-50545
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fission Environment CRD HostPID Injection
Expected signal: Kubernetes audit log entry: verb=create, objectRef.resource=environments, objectRef.namespace=fission, requestObject containing spec.runtime.podspec.hostPID=true and securityContext.privileged=true
- Test 2Fission Environment HostPath Volume Mount for Node Escape
Expected signal: Kubernetes audit log showing spec.runtime.podspec.volumes[].hostPath.path='/' in the Fission Environment requestObject
- Test 3Fission Function Execution with Injected Privileged Container
Expected signal: Kubernetes audit events for Environment create (with hostIPC/privileged), Function create referencing it, and pod create in fission-function namespace with SecurityContext.privileged=true; CrowdStrike ProcessRollup2 events from the Fission executor with privileged container indicators
References (8)
- https://github.com/fission/fission/security/advisories/GHSA-wmgg-3p4h-48x7
- https://nvd.nist.gov/vuln/detail/CVE-2026-50545
- https://github.com/fission/fission/pull/3390
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/8fa799417c77ce8a0189d9858bfe11ece29b84a6
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-wmgg-3p4h-48x7
Unlock Pro Content
Get the full detection package for CVE-2026-50545 including response playbook, investigation guide, and atomic red team tests.