Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-50564.
Upgrade to ProDetect Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564) in IBM QRadar
Fission (<=1.23.0) allows the Environment Custom Resource podspec passthrough (poolspec.container / poolspec.podspec) to inject arbitrary Kubernetes PodSpec fields including hostPID, hostNetwork, hostIPC, and privileged securityContext into builder/executor pods created by the fission-builder and fission-router controllers. Any principal able to create or update Environment CRDs (which in many multi-tenant Fission deployments includes low-privileged function developers) can escalate to full node compromise by scheduling a privileged, host-namespace-sharing pod, then pivoting to the underlying kubelet, container runtime socket, or other pods on the node. CVSS 9.9.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(devicetime,'YYYY-MM-dd HH:mm:ss') AS EventTime, username, "Namespace", "Object Name", payload
FROM events
WHERE LOGSOURCETYPENAME(logsourcetypeid) = 'Kubernetes Audit'
AND (payload ILIKE '%fission.io/environment%' OR payload ILIKE '%environments.fission.io%')
AND (payload ILIKE '%hostPID%' OR payload ILIKE '%hostNetwork%' OR payload ILIKE '%hostIPC%' OR payload ILIKE '%"privileged":true%')
AND (payload ILIKE '%"verb":"create"%' OR payload ILIKE '%"verb":"update"%' OR payload ILIKE '%"verb":"patch"%')
LAST 24 HOURS QRadar AQL search identifying Fission Environment CRD create/update/patch events whose payload includes privileged or host-namespace podspec passthrough keys.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of custom privileged build environments by platform admins
- Bulk reconciliation events from GitOps controllers reapplying pre-approved manifests
- Payload substring matches on unrelated resources that coincidentally reference the same field names
Other platforms for CVE-2026-50564
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy Fission Environment with hostPID and privileged podspec passthrough
Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostpid-env containing hostPID:true and securityContext.privileged:true in the request object.
- Test 2Deploy Fission Environment with hostNetwork passthrough
Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostnet-env containing hostNetwork:true in the request object.
- Test 3Patch existing Fission Environment to add hostIPC after initial benign creation
Expected signal: Kubernetes API audit log entries for both create and patch verbs on environments.fission.io/atomic-test-patch-env, with the patch event's requestObject containing hostIPC:true and privileged:true.
References (6)
- https://github.com/fission/fission/security/advisories/GHSA-gx55-f84r-v3r7
- https://nvd.nist.gov/vuln/detail/CVE-2026-50564
- https://github.com/fission/fission/pull/3391
- https://github.com/fission/fission/commit/e484df8460bb4e8026e24210120602aa7f181f64
- https://github.com/fission/fission/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-gx55-f84r-v3r7
Unlock playbooks & atomic tests with Pro
Get the full detection package for CVE-2026-50564 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month