Platform
go
Component
github.com/controlplaneio-fluxcd/flux-operator
Fixed in
0.36.1
0.40.0
CVE-2026-23990 describes an impersonation bypass vulnerability within the Flux Operator, a Kubernetes operator for GitOps. This flaw allows an attacker to circumvent impersonation checks by exploiting empty OpenID Connect (OIDC) claims, potentially leading to unauthorized access and control over managed Kubernetes resources. The vulnerability affects versions prior to 0.40.0, and a patch has been released to address the issue.
The primary impact of CVE-2026-23990 is the potential for unauthorized access and privilege escalation within a Kubernetes cluster. An attacker who can craft a malicious OIDC token with empty claims can bypass impersonation restrictions, effectively masquerading as another user or service account. This could enable them to modify Git repositories, deploy malicious applications, or compromise sensitive data managed by Flux Operator. The blast radius extends to any resources managed by Flux Operator, as the attacker could potentially manipulate the GitOps workflow to achieve their objectives. This vulnerability highlights the importance of robust authentication and authorization mechanisms in GitOps deployments.
CVE-2026-23990 was publicly disclosed on 2026-02-02. While no public proof-of-concept (PoC) has been released, the vulnerability's nature suggests a relatively low barrier to exploitation. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog. Given the potential impact and ease of exploitation, organizations using Flux Operator should prioritize patching.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23990 is to upgrade Flux Operator to version 0.40.0 or later, which includes the fix for this impersonation bypass. If upgrading is not immediately feasible, consider implementing stricter OIDC claim validation within your Kubernetes environment. This could involve configuring your OIDC provider to enforce specific claim requirements or implementing custom admission controllers to reject tokens with empty claims. Regularly review and audit your Flux Operator configuration to ensure that impersonation restrictions are properly enforced. After upgrading, confirm the fix by attempting to trigger an impersonation flow with a crafted OIDC token containing empty claims; the request should be rejected.
Update the Flux Operator to version 0.40.0 or higher. If immediate updating is not possible, configure your OIDC provider to emit tokens with non-empty `email` and `groups` claims. Alternatively, review and adjust custom CEL expressions to ensure that the resulting values of `username` and `groups` are not empty.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23990 is a vulnerability in Flux Operator versions before 0.40.0 that allows attackers to bypass impersonation checks via empty OIDC claims, potentially gaining unauthorized access to Kubernetes resources.
You are affected if you are running Flux Operator versions prior to 0.40.0 and using OIDC for authentication. Assess your environment immediately.
Upgrade Flux Operator to version 0.40.0 or later. If immediate upgrade is not possible, implement stricter OIDC claim validation.
While no active exploitation has been confirmed, the vulnerability's nature suggests a low barrier to exploitation, and organizations should prioritize patching.
Refer to the official Flux Operator documentation and release notes for details on CVE-2026-23990 and the corresponding fix: [https://fluxcd.io/](https://fluxcd.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.