Description
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3.
Published: 2026-04-09
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized reconcilation trigger
Action: Patch
AI Analysis

Impact

The vulnerability resides in the GCR Receiver of Flux notification-controller, which fails to validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. Any valid Google‑issued token can authenticate against the Receiver webhook endpoint and cause the controller to initiate a reconciliation of all resources specified in the Receiver’s configuration. In practice, because Flux reconciliation is idempotent and requests are deduplicated, the immediate effect is often a no‑op unless the source desired state has changed. Nonetheless, the ability to trigger reconciliations without authorization represents an unauthorized control surface and potential avenue for indirect impact if upstream sources are manipulated.

Affected Systems

Flux CD notification-controller prior to release version 1.8.3 is affected. All deployments of the Flux notification-controller before that version are susceptible, regardless of the specific cluster configuration.

Risk and Exploitability

The CVSS v3.1 score for this issue is 3.1, indicating low severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, implying it is not widely exploited. Attackers must know the Receiver’s webhook URL—derived from a random token, secret name, and namespace—and cannot enumerate it through an API. Therefore, exploitation requires either cluster access to read the Receiver status or otherwise obtain the leaked secret or Pub/Sub configuration. Given these constraints, the practical risk is low, but the issue still creates an unauthorized trigger that could be abused in conjunction with other changes to source repositories.

Generated by OpenCVE AI on April 9, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Flux notification-controller to version 1.8.3 or later.
  • If an update is not immediately possible, restrict cluster permissions so that only trusted users can read Receiver status and secrets.
  • Ensure that Pub/Sub push authentication is secured and that Google OIDC tokens are not broadly available.
  • Monitor webhook activity and reconciliation logs for anomalous requests.
  • Consider disabling or removing the GCR Receiver if it is not required in your environment.

Generated by OpenCVE AI on April 9, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9cx-xjg6-5v2w Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Fluxcd
Fluxcd notification-controller
Vendors & Products Fluxcd
Fluxcd notification-controller

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3.
Title Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Weaknesses CWE-287
CWE-345
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fluxcd Notification-controller
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:02:39.499Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40109

cve-icon Vulnrichment

Updated: 2026-04-13T20:24:02.970Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:12.277

Modified: 2026-04-16T14:42:01.147

Link: CVE-2026-40109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:04Z

Weaknesses