CVE-2026-40109

EPSS 0.01%
Veröffentlicht 09.04.2026 21:16:12
Zuletzt bearbeitet 16.04.2026 14:42:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerfluxcd

≫

Produkt notification-controller

Version < 1.8.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.016

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/fluxcd/notification-controller/pull/1279

https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3

https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w

https://nvd.nist.gov/vuln/detail/CVE-2026-40109

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40109

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40109

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40109