CVE-2026-50563 Sumo Logic CSE · Sumo

Detect Fission Container Executor PodSpec Injection - Node Escape Attempt in Sumo Logic CSE

Detects exploitation of CVE-2026-50563, a critical privilege escalation vulnerability in Fission serverless framework (<=1.23.0). The container executor allows unauthenticated or low-privileged users to inject arbitrary PodSpec fields into function pods, enabling container escape to the underlying Kubernetes node. Attackers can inject hostPID, hostNetwork, privileged containers, hostPath volume mounts, or custom service accounts to achieve full node compromise.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Initial Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql
_sourceCategory=kubernetes/audit OR _sourceCategory=kubernetes/containers
| json field=_raw "objectRef.namespace" as namespace nodrop
| json field=_raw "objectRef.resource" as resource nodrop
| json field=_raw "verb" as verb nodrop
| json field=_raw "user.username" as username nodrop
| json field=_raw "sourceIPs[0]" as source_ip nodrop
| json field=_raw "requestObject.spec" as pod_spec nodrop
| where namespace matches "fission*" or _raw matches "fission*"
| where (
    (resource = "pods" and verb in ("create", "patch", "update") and (
      pod_spec matches "*hostPID*true*"
      or pod_spec matches "*hostNetwork*true*"
      or pod_spec matches "*privileged*true*"
      or pod_spec matches "*hostPath*"
      or pod_spec matches "*hostIPC*true*"
    ))
    or
    (_raw matches "*nsenter*" or _raw matches "*/proc/1/root*" or _raw matches "*/host/*")
  )
| eval detection_type = if(resource = "pods" and verb in ("create","patch","update"), "PodSpec Injection", "Escape Indicator")
| eval cve = "CVE-2026-50563"
| count by _time, username, source_ip, namespace, detection_type, cve
| sort by _time desc
critical severity medium confidence

Sumo Logic query to identify Fission PodSpec injection and node escape attempts across Kubernetes audit and container log sources.

Data Sources

Kubernetes Audit LogsContainer Logs

Required Tables

kubernetes/auditkubernetes/containers

False Positives & Tuning

  • Fission environment initialization routines that temporarily use elevated specs before settling to restrictive policies
  • Kubernetes admission webhook testing that replays privilege escalation payloads in development clusters
  • Authorized red team exercises targeting the Fission namespace with documented scope

Other platforms for CVE-2026-50563


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fission PodSpec Injection - hostPID Escape

    Expected signal: Kubernetes audit log entry with verb=create, objectRef.resource=pods, objectRef.namespace=fission-function, requestObject.spec.hostPID=true. Container process list will show host-level PIDs including kubelet, containerd, and other node processes.

  2. Test 2Fission PodSpec Injection - Privileged Container with hostPath Root Mount

    Expected signal: Kubernetes audit log with requestObject.spec.containers[0].securityContext.privileged=true and requestObject.spec.volumes containing hostPath.path=/. Container runtime logs showing privileged container start. Node-level filesystem access to /etc/passwd and hostname file.

  3. Test 3Fission Container Escape via nsenter After PodSpec Injection

    Expected signal: Process telemetry on Kubernetes node showing nsenter executed with --target 1 argument. Host PID 1 (init/systemd) namespace join event visible in node audit logs. Container log output matching host OS details rather than Alpine container OS.

Unlock Pro Content

Get the full detection package for CVE-2026-50563 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections