Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-50564.
Upgrade to ProFission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564)
Fission (<=1.23.0) allows the Environment Custom Resource podspec passthrough (poolspec.container / poolspec.podspec) to inject arbitrary Kubernetes PodSpec fields including hostPID, hostNetwork, hostIPC, and privileged securityContext into builder/executor pods created by the fission-builder and fission-router controllers. Any principal able to create or update Environment CRDs (which in many multi-tenant Fission deployments includes low-privileged function developers) can escalate to full node compromise by scheduling a privileged, host-namespace-sharing pod, then pivoting to the underlying kubelet, container runtime socket, or other pods on the node. CVSS 9.9.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- github.com/fission/fission
- Versions
- <= 1.23.0
Timeline
- Disclosed
- June 30, 2026
References & Proof of Concept
- PoChttps://github.com/advisories/GHSA-gx55-f84r-v3r7
- https://github.com/fission/fission/security/advisories/GHSA-gx55-f84r-v3r7
- https://nvd.nist.gov/vuln/detail/CVE-2026-50564
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
What is CVE-2026-50564 Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564)?
Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564) (CVE-2026-50564) maps to the Privilege Escalation and Lateral Movement and Initial Access tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564), covering the data sources and telemetry it touches: Kubernetes API Audit Logs (AKS Diagnostics). The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
// Requires AKS/Azure Kubernetes audit logs forwarded to Sentinel (AzureDiagnostics / KubeAuditLogs)
let susPodSpecKeys = dynamic(["hostPID", "hostNetwork", "hostIPC", "privileged"]);
AzureDiagnostics
| where Category == "kube-audit"
| where log_s has "fission.io/environment" or log_s has "environments.fission.io"
| where log_s has_any (susPodSpecKeys)
| extend Verb = extract("\"verb\":\"([a-z]+)\"", 1, log_s)
| where Verb in ("create", "update", "patch")
| extend RequestUser = extract("\"username\":\"([^\"]+)\"", 1, log_s)
| extend Namespace = extract("\"namespace\":\"([^\"]+)\"", 1, log_s)
| project TimeGenerated, RequestUser, Namespace, Verb, log_s
| order by TimeGenerated desc Detects create/update/patch operations on Fission Environment CRDs where the raw audit payload contains privileged podspec passthrough fields (hostPID, hostNetwork, hostIPC, privileged), indicating exploitation of GHSA-gx55-f84r-v3r7.
Data Sources
Required Tables
False Positives
- Legitimate platform administrators intentionally configuring privileged build environments for approved CI/CD workloads
- Cluster infrastructure operators deploying node-level agents through custom Fission environments for monitoring
- Automated GitOps reconciliation re-applying an environment manifest that legitimately requires host networking for approved network testing
Sigma rule & cross-platform mapping
The detection logic for Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564) (CVE-2026-50564) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azure Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-50564
References (6)
- https://github.com/fission/fission/security/advisories/GHSA-gx55-f84r-v3r7
- https://nvd.nist.gov/vuln/detail/CVE-2026-50564
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-gx55-f84r-v3r7
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy Fission Environment with hostPID and privileged podspec passthrough
Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostpid-env containing hostPID:true and securityContext.privileged:true in the request object.
- Test 2Deploy Fission Environment with hostNetwork passthrough
Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostnet-env containing hostNetwork:true in the request object.
- Test 3Patch existing Fission Environment to add hostIPC after initial benign creation
Expected signal: Kubernetes API audit log entries for both create and patch verbs on environments.fission.io/atomic-test-patch-env, with the patch event's requestObject containing hostIPC:true and privileged:true.
Unlock playbooks & atomic tests with Pro
Get the full detection package for CVE-2026-50564 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month