CVE-2026-50563 Overview
CVE-2026-50563 is a privilege escalation vulnerability in Fission, an open-source Kubernetes-native serverless framework. The Container Executor path allows a tenant to supply Function.spec.podspec directly. The executor merges the tenant-controlled spec into the executor-built podspec, then creates a Deployment whose pods run the user's container image. This grants tenants control over Pod fields that should remain restricted, enabling escape from the intended multi-tenant boundary [CWE-269]. The flaw affects all versions prior to 1.24.0 and is patched in Fission 1.24.0.
Critical Impact
A low-privileged tenant can manipulate Pod specifications to escalate privileges within the Kubernetes cluster, leading to full compromise of confidentiality, integrity, and availability across tenant boundaries.
Affected Products
- Fission (Kubernetes-native serverless framework)
- All versions prior to 1.24.0
- Deployments using the Container Executor path
Discovery Timeline
- 2026-06-10 - CVE-2026-50563 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-50563
Vulnerability Analysis
Fission supports multiple executor types for running serverless functions, including a Container Executor that creates Kubernetes Deployments for user-supplied container images. The executor builds an internal podspec to enforce platform constraints, then merges tenant-provided values from Function.spec.podspec into that spec. Because the merge accepts arbitrary Pod fields, tenants can override security-sensitive settings the platform expects to control.
A tenant with permission to create or update Fission Function resources can inject Pod fields such as securityContext, hostPath volume mounts, serviceAccountName, hostNetwork, hostPID, or privileged container settings. The merged Deployment then runs with these tenant-chosen properties under the executor's namespace and service account context. This violates the trust boundary between the tenant API surface and the cluster-level controller. The vulnerability is classified under [CWE-269] Improper Privilege Management.
Root Cause
The Container Executor performs an unrestricted merge of Function.spec.podspec into the executor-built podspec without validating or filtering tenant-supplied fields. No admission logic strips sensitive Pod attributes before the Deployment is created, so tenant input flows directly into the workload definition that the controller submits to the Kubernetes API.
Attack Vector
The attack is network-reachable and requires only low privileges, specifically the ability to create or modify Fission Function objects. An attacker crafts a Function resource whose spec.podspec includes elevated securityContext settings, host namespace flags, or a privileged service account reference. When Fission instantiates the function, the executor produces a Deployment that runs the attacker's container with those elevated properties, enabling node access, secret theft, or lateral movement across the cluster. Technical specifics are documented in the Fission Security Advisory GHSA-v455-mv2v-5g92 and the corresponding GitHub Pull Request #3391.
Detection Methods for CVE-2026-50563
Indicators of Compromise
- Fission Function resources whose spec.podspec contains privileged: true, hostPID, hostNetwork, or hostPath volumes.
- Deployments created by the Fission executor running with non-default serviceAccountName values or elevated capabilities.
- Pods launched in Fission-managed namespaces with container images outside approved registries.
Detection Strategies
- Audit the Kubernetes API server logs for Function create and update events referencing sensitive Pod fields.
- Apply admission policies (OPA Gatekeeper, Kyverno) that reject Fission Functions containing restricted podspec keys.
- Compare running Deployments managed by Fission against an allowlist of expected security contexts and service accounts.
Monitoring Recommendations
- Stream Kubernetes audit logs and Fission controller logs into a centralized analytics platform for correlation across tenants.
- Alert on container runtime telemetry indicating host namespace access, mounted host paths, or capability escalation inside Fission-managed pods.
- Track Fission version inventory across clusters to confirm upgrades to 1.24.0 or later.
How to Mitigate CVE-2026-50563
Immediate Actions Required
- Upgrade all Fission installations to version 1.24.0 or later as published in the Fission v1.24.0 release notes.
- Inventory existing Function resources and remove or remediate any that contain tenant-supplied privileged podspec fields.
- Restrict RBAC permissions for creating or updating Fission Function objects to trusted principals only.
Patch Information
The vulnerability is fixed in Fission 1.24.0. The fix, delivered via GitHub Pull Request #3391, restricts which fields from Function.spec.podspec are merged into the executor-built podspec, preventing tenants from overriding security-sensitive Pod attributes.
Workarounds
- Enforce a Kubernetes admission controller policy that rejects Fission Function objects containing securityContext.privileged, hostPID, hostNetwork, hostIPC, or hostPath volumes.
- Apply Pod Security Standards at the restricted level on Fission executor namespaces to block privileged Pod creation regardless of the controller input.
- Disable the Container Executor path for untrusted tenants until the upgrade to 1.24.0 is complete.
# Verify Fission version and upgrade via Helm
kubectl -n fission get deploy -o jsonpath='{.items[*].spec.template.spec.containers[*].image}'
helm repo update
helm upgrade --install fission fission-charts/fission-all \
--namespace fission \
--version 1.24.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
