Fission Container Executor PodSpec Injection - Node Escape Attempt
Detects exploitation of CVE-2026-50563, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0). The container executor allows unauthenticated or low-privileged users to inject arbitrary PodSpec fields into function pods, enabling container escape to the underlying Kubernetes node. Attackers can inject hostPID, hostNetwork, privileged containers, hostPath volume mounts, or custom service accounts to achieve full node compromise.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- github.com/fission/fission
- Versions
- <= 1.23.0
Timeline
- Disclosed
- June 30, 2026
References & Proof of Concept
- PoChttps://github.com/advisories/GHSA-v455-mv2v-5g92
- https://github.com/fission/fission/security/advisories/GHSA-v455-mv2v-5g92
- https://nvd.nist.gov/vuln/detail/CVE-2026-50563
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
What is CVE-2026-50563 Fission Container Executor PodSpec Injection - Node Escape Attempt?
Fission Container Executor PodSpec Injection - Node Escape Attempt (CVE-2026-50563) maps to the Privilege Escalation and Lateral Movement and Initial Access tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for Fission Container Executor PodSpec Injection - Node Escape Attempt, covering the data sources and telemetry it touches: AzureDiagnostics, KubePodInventory, ContainerLog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousPodSpecFields = dynamic(["hostPID", "hostNetwork", "hostIPC", "privileged", "hostPath", "allowPrivilegeEscalation"]);
let FissionNamespaces = dynamic(["fission", "fission-function", "fission-builder"]);
union
(
AzureDiagnostics
| where Category == "kube-audit"
| where TimeGenerated > ago(24h)
| extend AuditLog = parse_json(log_s)
| where AuditLog.objectRef.resource == "pods"
| where AuditLog.objectRef.namespace in (FissionNamespaces)
| where AuditLog.verb in ("create", "patch", "update")
| extend PodSpec = tostring(AuditLog.requestObject.spec)
| where PodSpec has_any (SuspiciousPodSpecFields)
| extend UserAgent = tostring(AuditLog.userAgent)
| extend Username = tostring(AuditLog.user.username)
| extend SourceIP = tostring(AuditLog.sourceIPs[0])
| extend PodName = tostring(AuditLog.objectRef.name)
| extend Namespace = tostring(AuditLog.objectRef.namespace)
| project TimeGenerated, Username, SourceIP, PodName, Namespace, UserAgent, PodSpec
| extend AlertReason = "Suspicious PodSpec field in Fission namespace pod creation"
),
(
KubePodInventory
| where TimeGenerated > ago(24h)
| where Namespace in (FissionNamespaces)
| extend PodLabels = parse_json(PodLabel)
| extend PodAnnotations = tostring(parse_json("[]"))
| join kind=inner (
ContainerLog
| where TimeGenerated > ago(24h)
| where LogEntry has_any ("hostPID", "hostNetwork", "privileged: true", "escape", "nsenter", "/proc/1/root")
) on ContainerID
| project TimeGenerated, PodName, Namespace, ContainerName, LogEntry
| extend AlertReason = "Fission function container log indicates escape attempt"
)
| extend CVE = "CVE-2026-50563"
| extend Severity = "Critical" Detects PodSpec injection attempts in Fission namespaces via Kubernetes audit logs and container log indicators of node escape activity. Monitors for privileged fields being injected into function pods.
Data Sources
Required Tables
False Positives
- Legitimate infrastructure automation that creates privileged pods in Fission namespaces for debugging purposes
- Kubernetes operators or admission controllers that modify pod specs during normal reconciliation
- Security scanning tools that inspect container configurations and trigger log keywords
Sigma rule & cross-platform mapping
The detection logic for Fission Container Executor PodSpec Injection - Node Escape Attempt (CVE-2026-50563) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azure Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-50563
References (6)
- https://github.com/fission/fission/security/advisories/GHSA-v455-mv2v-5g92
- https://nvd.nist.gov/vuln/detail/CVE-2026-50563
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-v455-mv2v-5g92
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fission PodSpec Injection - hostPID Escape
Expected signal: Kubernetes audit log entry with verb=create, objectRef.resource=pods, objectRef.namespace=fission-function, requestObject.spec.hostPID=true. Container process list will show host-level PIDs including kubelet, containerd, and other node processes.
- Test 2Fission PodSpec Injection - Privileged Container with hostPath Root Mount
Expected signal: Kubernetes audit log with requestObject.spec.containers[0].securityContext.privileged=true and requestObject.spec.volumes containing hostPath.path=/. Container runtime logs showing privileged container start. Node-level filesystem access to /etc/passwd and hostname file.
- Test 3Fission Container Escape via nsenter After PodSpec Injection
Expected signal: Process telemetry on Kubernetes node showing nsenter executed with --target 1 argument. Host PID 1 (init/systemd) namespace join event visible in node audit logs. Container log output matching host OS details rather than Alpine container OS.
Unlock Pro Content
Get the full detection package for CVE-2026-50563 including response playbook, investigation guide, and atomic red team tests.