CVE-2026-52831

Nuclio Cron Trigger Header/Body Command Injection (CVE-2026-52831)

Detects exploitation of CVE-2026-52831, a critical (CVSS 10.0) command injection vulnerability in Nuclio's cron trigger handling. Unsanitized event headers and body content are injected into a CronJob-generated shell command, enabling unauthenticated attackers to achieve persistent remote code execution inside Nuclio function containers and, from there, the underlying Kubernetes node. Detection focuses on shell metacharacter injection in Nuclio dashboard/trigger logs, anomalous child processes spawned from nuclio-handler/processor binaries, and suspicious CronJob-launched shell activity in Kubernetes.

Vulnerability Intelligence

Public PoC

What is CVE-2026-52831 Nuclio Cron Trigger Header/Body Command Injection (CVE-2026-52831)?

Nuclio Cron Trigger Header/Body Command Injection (CVE-2026-52831) (CVE-2026-52831) maps to the Initial Access and Execution and Privilege Escalation and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Nuclio Cron Trigger Header/Body Command Injection (CVE-2026-52831), covering the data sources and telemetry it touches: Kubernetes Audit Logs, Container Logs, Azure Kubernetes Service (AKS) Diagnostics. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation Persistence
Microsoft Sentinel / Defender
kusto
KubePodInventory
| where Namespace has "nuclio"
| where ContainerName has "processor" or ContainerName has "nuclio"
| join kind=inner (
    ContainerLog
    | where LogEntry matches regex @"(;|\||&&|\$\(|`|>|<|\bcurl\b|\bwget\b|\bnc\b|/bin/sh|/bin/bash)"
) on ContainerID
| project TimeGenerated, Namespace, PodName=Name, ContainerName, LogEntry
| order by TimeGenerated desc

Detects Nuclio cron-triggered pod/container logs containing shell metacharacters or common exploitation utilities (curl, wget, nc, sh/bash invocation) indicative of command injection via cron trigger event headers or body.

critical severity medium confidence

Data Sources

Kubernetes Audit Logs Container Logs Azure Kubernetes Service (AKS) Diagnostics

Required Tables

KubePodInventory ContainerLog

False Positives

  • Legitimate function code that legitimately shells out to curl/wget for data retrieval
  • Debug logging that echoes raw HTTP headers for troubleshooting
  • CI/CD pipelines using Nuclio functions with embedded shell commands by design

Sigma rule & cross-platform mapping

The detection logic for Nuclio Cron Trigger Header/Body Command Injection (CVE-2026-52831) (CVE-2026-52831) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate malicious cron trigger header injection

    Expected signal: Nuclio processor container log entries showing the injected header value and a subsequent shell process (sh/bash) spawned as a child of the processor binary

  2. Test 2Simulate cron trigger body command injection

    Expected signal: Outbound HTTP request from the Nuclio processor container to attacker.lab.local and creation of a curl child process under the processor binary

  3. Test 3Detect unpatched Nuclio dashboard version

    Expected signal: Nuclio dashboard API access log entry for /api/versions endpoint request

  4. Test 4Simulate persistent CronJob creation via injection

    Expected signal: Kubernetes audit log CronJob create event in the nuclio namespace originating from an in-cluster service account associated with the processor pod

Unlock Pro Content

Get the full detection package for CVE-2026-52831 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections