Platform
kubernetes
Component
fluxcd/notification-controller
Fixed in
1.8.4
CVE-2026-40109 is a security vulnerability affecting Flux Notification Controller versions 1.0.0 through 1.8.3. This vulnerability stems from insufficient validation of Google OIDC tokens used for Pub/Sub push authentication within the gcr Receiver type. Successful exploitation allows an attacker to trigger unauthorized Flux reconciliations, potentially leading to unintended changes in the managed infrastructure.
The core impact of CVE-2026-40109 lies in the potential for unauthorized Flux reconciliations. An attacker, possessing a valid Google OIDC token (without needing to validate the email claim), can craft a malicious webhook request to the Flux Notification Controller's receiver endpoint. This bypasses the intended authentication mechanism, allowing the attacker to trigger reconciliation loops and potentially modify the desired state of the Kubernetes cluster. The blast radius is limited to the scope of the affected Flux deployment and the resources it manages. While the CVSS score is LOW, the potential for unauthorized configuration changes warrants prompt remediation.
CVE-2026-40109 was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that a relatively simple PoC could be developed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40109 is to upgrade Flux Notification Controller to version 1.8.3 or later, which includes the necessary validation improvements. If an immediate upgrade is not feasible, consider temporarily restricting access to the Receiver webhook endpoint using network policies or firewall rules. Monitor Flux logs for unusual reconciliation activity. While a WAF is unlikely to directly address this, it could be configured to detect and block suspicious webhook requests based on patterns associated with OIDC token manipulation. After upgrading, confirm the fix by attempting to send a test Pub/Sub message with a manipulated OIDC token; the controller should reject the request.
Update the Flux Notification Controller component to version 1.8.3 or higher to mitigate the vulnerability. This update corrects the lack of email validation in the GCR receiver, preventing unauthorized reconciliation triggering.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40109 is a vulnerability in Flux Notification Controller versions 1.0.0 through 1.8.3 where Google OIDC tokens are not properly validated, allowing unauthorized reconciliations.
You are affected if you are running Flux Notification Controller versions 1.0.0 through 1.8.3 and utilize Google OIDC tokens for Pub/Sub push authentication.
Upgrade Flux Notification Controller to version 1.8.3 or later to address the OIDC token validation issue. Consider temporary network restrictions as an interim measure.
There is currently no evidence of active exploitation of CVE-2026-40109, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official Flux documentation and security advisories at [https://fluxcd.io/security/](https://fluxcd.io/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.