CVE-2026-40109
Authentication Bypass in Flux Notification-Controller gcr Receiver
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluxcd | notification-controller | 1.8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Flux notification-controller prior to version 1.8.3, specifically in the gcr Receiver type. It does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This means that any valid Google-issued token can authenticate against the Receiver webhook endpoint without proper verification.
To exploit this, an attacker must know the Receiver's webhook URL, which is generated using a hash of a token, name, and namespace. Since the webhook URL is not publicly enumerable and requires access to the cluster or leaked secrets to discover, exploitation is limited.
If successfully exploited, the attacker can trigger unauthorized Flux reconciliations, causing the controller to reconcile all resources listed in the Receiver's configuration. However, because Flux reconciliation is idempotent and deduplicates requests, repeated or unnecessary reconciliations have limited practical impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an attacker who knows the Receiver's webhook URL to trigger unauthorized Flux reconciliations. This could potentially cause unexpected or unwanted operations within the cluster.
However, the impact is limited because Flux reconciliation is idempotent, meaning if the desired state has not changed, the reconciliation will have no effect on the cluster state.
Additionally, Flux controllers deduplicate reconciliation requests, so multiple rapid requests result in only a single reconciliation, reducing the risk of denial-of-service or resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Flux notification-controller version 1.8.3. The immediate step to mitigate this vulnerability is to upgrade the Flux notification-controller to version 1.8.3 or later.
Since exploitation requires knowledge of the Receiver's webhook URL, ensure that access to Kubernetes Secrets and the Receiver's .status.webhookPath is tightly controlled and that secrets are not leaked.