CVE-2026-23990
Privilege Escalation in Flux Operator Web UI via RBAC Bypass
Publication date: 2026-01-21
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| control-plane | flux_operator | From 0.36.0 (inc) to 0.40.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Flux Operator Web UI authentication code for Kubernetes. It allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. This happens when the Flux Operator is configured with an OIDC provider that issues tokens missing expected claims like 'email' or 'groups', or when custom CEL expressions evaluate to empty values. Because there is no validation that the resulting 'username' and 'groups' values are non-empty, the Kubernetes client-go library does not add impersonation headers, causing API requests to run with elevated privileges.
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation, allowing an attacker to execute API requests with the Flux Operator's service account privileges rather than the limited permissions of the authenticated user. This can result in unauthorized access to sensitive data, data exposure, and information disclosure within the Kubernetes cluster.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Flux Operator to version 0.40.0 or later, as this version patches the privilege escalation vulnerability. Additionally, review your OIDC provider configuration to ensure tokens include the expected claims such as 'email' and 'groups', and avoid using custom CEL expressions that can evaluate to empty values for username and groups. This will prevent the Kubernetes client-go library from executing API requests with the flux-operator service account's privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows privilege escalation and potential data exposure or information disclosure by bypassing Kubernetes RBAC controls. Such unauthorized access and data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Therefore, organizations using vulnerable versions of the Flux Operator may face compliance risks if this vulnerability is exploited.