Description
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue.
Published: 2026-01-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Impersonation Bypass
Action: Immediate Patch
AI Analysis

Impact

The Flux Operator Web UI contains a privilege escalation flaw that lets an attacker bypass Kubernetes RBAC impersonation, caused by unvalidated empty OIDC claim values. The vulnerability manifests when the OIDC provider returns missing email or groups or when custom CEL expressions evaluate to empty strings, resulting in no impersonation headers and execution under the operator’s service account. This can lead to unauthorized API calls, data exposure, or information disclosure, as the attacker gains the full permissions of the operator’s service account.

Affected Systems

The vulnerability affects the Flux Operator provided by controlplaneio-fluxcd. Versions starting from 0.36.0 up through the last release before 0.40.0 (i.e., 0.39.x) are vulnerable. Users running any of those versions should verify their installation and upgrade when possible.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is below 1%, suggesting a low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a misconfigured OIDC provider or CEL expressions that produce empty claim values; once triggered, an attacker can run API requests with the Flux Operator’s service account privileges, bypassing all RBAC restrictions.

Generated by OpenCVE AI on April 18, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Flux Operator to version 0.40.0 or later, which includes the authentication patch.
  • If an upgrade cannot be performed immediately, configure the OIDC provider to always supply non-empty email and groups claims, or enforce these validations before removing impersonation headers.
  • Restrict access to the Flux Operator Web UI to trusted administrators and use network policies or firewall rules to limit exposure.

Generated by OpenCVE AI on April 18, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4xh5-jcj2-ch8q Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
History

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Control-plane
Control-plane flux Operator
CPEs cpe:2.3:a:control-plane:flux_operator:*:*:*:*:*:*:*:*
Vendors & Products Control-plane
Control-plane flux Operator

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Controlplaneio-fluxcd
Controlplaneio-fluxcd flux-operator
Vendors & Products Controlplaneio-fluxcd
Controlplaneio-fluxcd flux-operator

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
Description The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue.
Title Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
Weaknesses CWE-269
CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Control-plane Flux Operator
Controlplaneio-fluxcd Flux-operator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:21.454Z

Reserved: 2026-01-19T18:49:20.657Z

Link: CVE-2026-23990

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:27.227Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:52.930

Modified: 2026-03-06T20:01:58.813

Link: CVE-2026-23990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses