Detect Fission Container Executor PodSpec Injection - Node Escape Attempt in Splunk
Detects exploitation of CVE-2026-50563, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0). The container executor allows unauthenticated or low-privileged users to inject arbitrary PodSpec fields into function pods, enabling container escape to the underlying Kubernetes node. Attackers can inject hostPID, hostNetwork, privileged containers, hostPath volume mounts, or custom service accounts to achieve full node compromise.
MITRE ATT&CK
SPL Detection Query
index=kubernetes sourcetype=kube:apiserver:audit OR sourcetype=kube:container:log
| eval is_fission_ns=if(match('objectRef.namespace', "^fission"), 1, 0)
| eval is_pod_create=if(match(verb, "create|patch|update") AND 'objectRef.resource'="pods", 1, 0)
| eval has_privesc_field=if(
match('requestObject.spec', "hostPID.*true|hostNetwork.*true|hostIPC.*true|privileged.*true|hostPath|allowPrivilegeEscalation.*true"),
1, 0
)
| eval is_escape_log=if(
match(log, "nsenter|/proc/1/root|/host/|chroot.*proc|escape"),
1, 0
)
| where (is_fission_ns=1 AND is_pod_create=1 AND has_privesc_field=1) OR (is_fission_ns=1 AND is_escape_log=1)
| eval detection_type=case(
is_pod_create=1 AND has_privesc_field=1, "PodSpec Injection",
is_escape_log=1, "Container Escape Indicator",
true(), "Unknown"
)
| eval cve="CVE-2026-50563"
| eval severity="critical"
| table _time, host, 'user.username', 'sourceIPs{0}', 'objectRef.namespace', 'objectRef.name', detection_type, 'requestObject.spec', log, cve, severity
| sort -_time Detects Fission PodSpec injection attempts and container escape indicators from Kubernetes API server audit logs and container logs.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized cluster administrators creating privileged debug pods in Fission namespaces
- Fission internal system operations that temporarily elevate pod privileges during function environment setup
- Security tooling (Falco, Tetragon) generating logs containing escape-related keywords during baseline profiling
Other platforms for CVE-2026-50563
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fission PodSpec Injection - hostPID Escape
Expected signal: Kubernetes audit log entry with verb=create, objectRef.resource=pods, objectRef.namespace=fission-function, requestObject.spec.hostPID=true. Container process list will show host-level PIDs including kubelet, containerd, and other node processes.
- Test 2Fission PodSpec Injection - Privileged Container with hostPath Root Mount
Expected signal: Kubernetes audit log with requestObject.spec.containers[0].securityContext.privileged=true and requestObject.spec.volumes containing hostPath.path=/. Container runtime logs showing privileged container start. Node-level filesystem access to /etc/passwd and hostname file.
- Test 3Fission Container Escape via nsenter After PodSpec Injection
Expected signal: Process telemetry on Kubernetes node showing nsenter executed with --target 1 argument. Host PID 1 (init/systemd) namespace join event visible in node audit logs. Container log output matching host OS details rather than Alpine container OS.
References (6)
- https://github.com/fission/fission/security/advisories/GHSA-v455-mv2v-5g92
- https://nvd.nist.gov/vuln/detail/CVE-2026-50563
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-v455-mv2v-5g92
Unlock Pro Content
Get the full detection package for CVE-2026-50563 including response playbook, investigation guide, and atomic red team tests.