Plattform
go
Komponente
github.com/controlplaneio-fluxcd/flux-operator
Behoben in
0.36.1
0.40.0
CVE-2026-23990 describes an impersonation bypass vulnerability discovered in Flux Operator, a Kubernetes operator for GitOps. This flaw allows an attacker to circumvent impersonation checks within the Flux Operator Web UI by exploiting empty OpenID Connect (OIDC) claims. Affected versions are those prior to 0.40.0; upgrading to this version resolves the issue.
The vulnerability allows an attacker to bypass impersonation controls within the Flux Operator Web UI. This means an attacker who can craft a malicious OIDC token with empty claims can potentially gain unauthorized access to Kubernetes resources managed by Flux. The scope of impact depends on the permissions granted to the impersonated user. A successful exploit could lead to unauthorized deployments, modifications to existing configurations, or even complete control over the Kubernetes cluster if the impersonated user has sufficient privileges. This is particularly concerning in environments where Flux is used to manage critical infrastructure.
CVE-2026-23990 was publicly disclosed on 2026-02-02. There is currently no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low CVSS score suggests a medium probability of exploitation, contingent on the availability of a PoC and the prevalence of vulnerable Flux Operator deployments.
Organizations utilizing Flux Operator for GitOps deployments, particularly those relying on OIDC for authentication, are at risk. Shared Kubernetes clusters where multiple teams or applications share resources are especially vulnerable, as a compromised account could potentially impact a wider range of deployments. Legacy Flux Operator configurations with relaxed OIDC claim validation are also at increased risk.
• linux / server: Examine auditd logs for authentication attempts using OIDC tokens. Look for patterns indicating empty claims being accepted.
auditctl -l | grep -i oidc• go / platform: Monitor Flux Operator logs for errors related to OIDC claim validation.
// Example: Check for empty claims in your OIDC validation logic
if claims.Subject == "" || claims.Groups == nil { // Add more checks as needed
return nil, errors.New("Invalid OIDC claims")
}• generic web: If Flux Operator exposes a management API, test authentication with a crafted OIDC token containing empty claims to verify the impersonation bypass is prevented after patching.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Flux Operator to version 0.40.0 or later, which includes a fix for this impersonation bypass. If immediate upgrading is not possible, consider implementing stricter OIDC claim validation within your authentication provider. This might involve configuring your OIDC provider to always return at least minimal claims, preventing the creation of tokens with empty claims. Additionally, review and restrict the permissions granted to impersonated users within Flux to limit the potential blast radius of a successful attack. After upgrading, confirm the fix by attempting to authenticate with a crafted OIDC token containing empty claims; the authentication should fail.
Aktualisieren Sie den Flux Operator auf Version 0.40.0 oder höher. Wenn ein sofortiges Update nicht möglich ist, konfigurieren Sie Ihren OIDC-Anbieter so, dass er Tokens mit nicht leeren `email`- und `groups`-Claims ausgibt. Alternativ überprüfen und passen Sie die benutzerdefinierten CEL-Ausdrücke an, um sicherzustellen, dass die resultierenden Werte von `username` und `groups` nicht leer sind.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23990 is a vulnerability in Flux Operator versions before 0.40.0 that allows attackers to bypass impersonation checks via empty OIDC claims, potentially gaining unauthorized access to Kubernetes resources.
You are affected if you are running Flux Operator versions prior to 0.40.0 and using OIDC for authentication. Assess your environment immediately.
Upgrade Flux Operator to version 0.40.0 or later. If immediate upgrade is not possible, implement stricter OIDC claim validation.
While no active exploitation has been confirmed, the vulnerability's nature suggests a low barrier to exploitation, and organizations should prioritize patching.
Refer to the official Flux Operator documentation and release notes for details on CVE-2026-23990 and the corresponding fix: [https://fluxcd.io/](https://fluxcd.io/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.