प्लेटफ़ॉर्म
kubernetes
घटक
fluxcd/notification-controller
में ठीक किया गया
1.8.4
CVE-2026-40109 is a security vulnerability affecting Flux Notification Controller versions 1.0.0 through 1.8.3. This vulnerability stems from insufficient validation of Google OIDC tokens used for Pub/Sub push authentication within the gcr Receiver type. Successful exploitation allows an attacker to trigger unauthorized Flux reconciliations, potentially leading to unintended changes in the managed infrastructure.
The core impact of CVE-2026-40109 lies in the potential for unauthorized Flux reconciliations. An attacker, possessing a valid Google OIDC token (without needing to validate the email claim), can craft a malicious webhook request to the Flux Notification Controller's receiver endpoint. This bypasses the intended authentication mechanism, allowing the attacker to trigger reconciliation loops and potentially modify the desired state of the Kubernetes cluster. The blast radius is limited to the scope of the affected Flux deployment and the resources it manages. While the CVSS score is LOW, the potential for unauthorized configuration changes warrants prompt remediation.
CVE-2026-40109 was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that a relatively simple PoC could be developed.
Organizations utilizing Flux Notification Controller for GitOps workflows, particularly those relying on Google Cloud Platform (GCP) for authentication, are at risk. Environments with publicly accessible Receiver webhook endpoints or those lacking robust network segmentation are especially vulnerable.
• kubernetes / server:
kubectl get pods -n flux-system -l app.kubernetes.io/name=notification-controller -o jsonpath='{.items[*].metadata.labels.version}'• kubernetes / server:
kubectl logs -n flux-system -l app.kubernetes.io/name=notification-controller -c manager | grep -i "oidc token validation"• generic web: Inspect Flux Notification Controller Receiver webhook endpoints for unusual activity or unexpected reconciliation triggers. Examine Kubernetes audit logs for suspicious API calls related to Flux resources.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (2% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-40109 is to upgrade Flux Notification Controller to version 1.8.3 or later, which includes the necessary validation improvements. If an immediate upgrade is not feasible, consider temporarily restricting access to the Receiver webhook endpoint using network policies or firewall rules. Monitor Flux logs for unusual reconciliation activity. While a WAF is unlikely to directly address this, it could be configured to detect and block suspicious webhook requests based on patterns associated with OIDC token manipulation. After upgrading, confirm the fix by attempting to send a test Pub/Sub message with a manipulated OIDC token; the controller should reject the request.
इस भेद्यता को कम करने के लिए Flux Notification Controller घटक को संस्करण 1.8.3 या उच्चतर में अपडेट करें। यह अपडेट GCR रिसीवर में ईमेल सत्यापन की कमी को ठीक करता है, जिससे अनधिकृत सुलहों (reconciliations) का सक्रियण रोका जा सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40109 is a vulnerability in Flux Notification Controller versions 1.0.0 through 1.8.3 where Google OIDC tokens are not properly validated, allowing unauthorized reconciliations.
You are affected if you are running Flux Notification Controller versions 1.0.0 through 1.8.3 and utilize Google OIDC tokens for Pub/Sub push authentication.
Upgrade Flux Notification Controller to version 1.8.3 or later to address the OIDC token validation issue. Consider temporary network restrictions as an interim measure.
There is currently no evidence of active exploitation of CVE-2026-40109, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official Flux documentation and security advisories at [https://fluxcd.io/security/](https://fluxcd.io/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।