CVE-2026-50545 Sumo Logic CSE · Sumo

Detect CVE-2026-50545 — Fission Environment CRD PodSpec Injection Leading to Node Escape in Sumo Logic CSE

Detects exploitation of CVE-2026-50545, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0) where an attacker with permissions to create or modify Fission Environment CRDs can inject arbitrary PodSpec fields. This enables mounting host paths, disabling securityContext constraints, running privileged containers, or escaping to the underlying Kubernetes node, potentially resulting in full cluster takeover. CVSS 9.9.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Impact

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql
_sourceCategory=kubernetes/audit
| json field=_raw "verb" as verb
| json field=_raw "objectRef.resource" as resource
| json field=_raw "objectRef.apiGroup" as apiGroup
| json field=_raw "user.username" as actor
| json field=_raw "sourceIPs[0]" as sourceIP
| json field=_raw "objectRef.namespace" as namespace
| json field=_raw "objectRef.name" as envName
| json field=_raw "requestObject.spec.runtime.podspec" as podSpec nodrop
| where verb in ("create","update","patch")
  and resource = "environments"
  and apiGroup contains "fission.io"
  and !isNull(podSpec)
  and (
    podSpec contains "hostPID\":true"
    or podSpec contains "hostNetwork\":true"
    or podSpec contains "hostIPC\":true"
    or podSpec contains "privileged\":true"
    or podSpec contains "hostPath"
  )
| fields _messagetime, actor, sourceIP, namespace, envName, verb, podSpec
critical severity high confidence

Sumo Logic query over Kubernetes audit logs detecting Fission Environment CRD mutations with dangerous PodSpec fields injected, indicative of CVE-2026-50545 exploitation.

Data Sources

Kubernetes Audit LogsSumo Logic Kubernetes Collection

Required Tables

_sourceCategory=kubernetes/audit

False Positives & Tuning

  • Approved Fission environment deployments configured with custom runtime podspec for GPU or high-performance workloads
  • GitOps tooling (Flux, ArgoCD) reconciling Fission CRD state that includes extended podspec configurations
  • Security posture testing tools validating Fission admission webhook enforcement

Other platforms for CVE-2026-50545


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fission Environment CRD HostPID Injection

    Expected signal: Kubernetes audit log entry: verb=create, objectRef.resource=environments, objectRef.namespace=fission, requestObject containing spec.runtime.podspec.hostPID=true and securityContext.privileged=true

  2. Test 2Fission Environment HostPath Volume Mount for Node Escape

    Expected signal: Kubernetes audit log showing spec.runtime.podspec.volumes[].hostPath.path='/' in the Fission Environment requestObject

  3. Test 3Fission Function Execution with Injected Privileged Container

    Expected signal: Kubernetes audit events for Environment create (with hostIPC/privileged), Function create referencing it, and pod create in fission-function namespace with SecurityContext.privileged=true; CrowdStrike ProcessRollup2 events from the Fission executor with privileged container indicators

Unlock Pro Content

Get the full detection package for CVE-2026-50545 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections