Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-50564.

Upgrade to Pro
CVE-2026-50564 Microsoft Sentinel · KQL

Detect Fission Environment CRD PodSpec Passthrough Node Escape (CVE-2026-50564) in Microsoft Sentinel

Fission (<=1.23.0) allows the Environment Custom Resource podspec passthrough (poolspec.container / poolspec.podspec) to inject arbitrary Kubernetes PodSpec fields including hostPID, hostNetwork, hostIPC, and privileged securityContext into builder/executor pods created by the fission-builder and fission-router controllers. Any principal able to create or update Environment CRDs (which in many multi-tenant Fission deployments includes low-privileged function developers) can escalate to full node compromise by scheduling a privileged, host-namespace-sharing pod, then pivoting to the underlying kubelet, container runtime socket, or other pods on the node. CVSS 9.9.

MITRE ATT&CK

Tactic
Privilege Escalation Lateral Movement Initial Access

KQL Detection Query

Microsoft Sentinel (KQL)
kusto
// Requires AKS/Azure Kubernetes audit logs forwarded to Sentinel (AzureDiagnostics / KubeAuditLogs)
let susPodSpecKeys = dynamic(["hostPID", "hostNetwork", "hostIPC", "privileged"]);
AzureDiagnostics
| where Category == "kube-audit"
| where log_s has "fission.io/environment" or log_s has "environments.fission.io"
| where log_s has_any (susPodSpecKeys)
| extend Verb = extract("\"verb\":\"([a-z]+)\"", 1, log_s)
| where Verb in ("create", "update", "patch")
| extend RequestUser = extract("\"username\":\"([^\"]+)\"", 1, log_s)
| extend Namespace = extract("\"namespace\":\"([^\"]+)\"", 1, log_s)
| project TimeGenerated, RequestUser, Namespace, Verb, log_s
| order by TimeGenerated desc
critical severity high confidence

Detects create/update/patch operations on Fission Environment CRDs where the raw audit payload contains privileged podspec passthrough fields (hostPID, hostNetwork, hostIPC, privileged), indicating exploitation of GHSA-gx55-f84r-v3r7.

Data Sources

Kubernetes API Audit Logs (AKS Diagnostics)

Required Tables

AzureDiagnostics

False Positives & Tuning

  • Legitimate platform administrators intentionally configuring privileged build environments for approved CI/CD workloads
  • Cluster infrastructure operators deploying node-level agents through custom Fission environments for monitoring
  • Automated GitOps reconciliation re-applying an environment manifest that legitimately requires host networking for approved network testing

Other platforms for CVE-2026-50564


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy Fission Environment with hostPID and privileged podspec passthrough

    Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostpid-env containing hostPID:true and securityContext.privileged:true in the request object.

  2. Test 2Deploy Fission Environment with hostNetwork passthrough

    Expected signal: Kubernetes API audit log entry (verb=create) for environments.fission.io/atomic-test-hostnet-env containing hostNetwork:true in the request object.

  3. Test 3Patch existing Fission Environment to add hostIPC after initial benign creation

    Expected signal: Kubernetes API audit log entries for both create and patch verbs on environments.fission.io/atomic-test-patch-env, with the patch event's requestObject containing hostIPC:true and privileged:true.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-50564 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections