External risk intelligence

Fission Environment CRD Privilege Escalation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-50564

A vulnerability in the Fission serverless framework allows a low-privilege attacker with limited Kubernetes cluster access to potentially escalate privileges. By manipulating Fission's Environment Custom Resource Definition, an attacker could gain elevated access, leading to compromise of cluster resources and sensitiv

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50564

Fission is a Kubernetes-native serverless framework. While the vulnerable configuration (Environment CRD) is typically managed by authorized users within a Kubernetes cluster rather than being directly exposed to the public internet, it is a backend infrastructure component that could be reachable if the Kubernetes API or management interfaces are improperly exposed.

PCI scan relevance

PCI Relevance for CVE-2026-50564

Yes

CVE-2026-50564 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Fission vulnerability allows for container privilege escalation, potentially causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Fission, an open-source framework for deploying applications on Kubernetes. It allows for elevated privileges on the underlying Kubernetes infrastructure, potentially leading to significant compromise of affected systems if exploited. The main concern is confirming relevance and exposure within your environment.

  • Serverless framework allows unauthorized system access.
  • Impacts Kubernetes infrastructure, a critical component.
  • Confirm relevance and exposure to Fission usage.

Attack Path

How an attacker could exploit the issue

An attacker with limited access to a Kubernetes cluster could potentially compromise the entire cluster. This is achieved by creating or modifying a Fission Environment Custom Resource Definition (CRD) that includes malicious configurations. These configurations allow the attacker to gain elevated privileges, potentially leading to the execution of arbitrary code and full control over the cluster's resources.

  • Requires limited cluster access.
  • Triggered by creating a malicious Environment CRD.
  • Risk of full cluster compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a low-privilege attacker could exploit this vulnerability to gain elevated privileges within a Kubernetes cluster by manipulating Fission environment configurations. This could allow unauthorized access to cluster resources and sensitive data.

  • Cluster infrastructure and data.
  • Manipulating environment configurations.
  • Unauthorized access and control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Owners of applications and infrastructure within the Kubernetes environment are likely responsible for addressing this vulnerability. The first practical step is to identify all Fission deployments, determine their reachability and criticality, and then plan remediation.

  • Platform or application owners should own.
  • Verify Fission deployment reachability.
  • Plan remediation based on risk.

Frequently asked questions

What is Fission?

Fission is an open-source, Kubernetes-native serverless framework. It allows developers to deploy functions and applications directly onto Kubernetes clusters without managing the underlying infrastructure complexity. It uses custom resource definitions, such as the Environment CRD, to define how code should be built and executed within the cluster.

What does CVE-2026-50564 mean for security?

This vulnerability involves improper access control and protection mechanisms. Specifically, the software fails to validate or filter sensitive configuration settings in Environment CRDs. This allows a user to define pod specifications that inherit high-level system permissions, effectively bypassing security boundaries intended to restrict what code can do on the host infrastructure.

How can an attacker trigger CVE-2026-50564?

An attacker needs the ability to create or modify Fission Environment CRDs. By injecting specific configurations into these definitions, they can force the system to run pods with elevated host-level privileges or access rights. Simply viewing existing configurations without the ability to modify or submit new CRD specifications does not trigger this vulnerability.

Is my cluster at risk for CVE-2026-50564?

Halo Surface Signal notes that while Fission is typically managed by authorized users, risk depends on accessibility. If your Kubernetes API or management interfaces are improperly exposed to broader networks, the potential for unauthorized interaction increases. Organizations should evaluate if their Fission instances are reachable beyond the internal cluster network.

How do I address this Fission vulnerability?

The primary response is to upgrade your Fission installation to version 1.24.0 or later, where security validation for these configurations was implemented. Before applying the update, identify where Fission is deployed in your environment, assess who has permission to modify Environment CRDs, and prioritize patching based on the sensitivity of the data handled by those specific serverless functions.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished