CVE-2026-40109: Improper Authentication in Flux notification-controller GCR Receiver
Vulnerability ID: CVE-2026-40109
CVSS Score: 3.1
Published: 2026-04-10
The Flux notification-controller prior to version 1.8.3 suffers from improper authentication in its Google Container Registry (GCR) Receiver webhook logic. The controller verified Google OIDC token signatures but failed to validate the identity (email) and audience (aud) claims, allowing unauthorized triggering of resource reconciliations by anyone possessing a valid Google OIDC token and the target webhook URL.
TL;DR
Flux notification-controller < 1.8.3 fails to validate OIDC email/audience claims in the GCR Receiver, allowing unauthorized reconciliation triggers via any valid Google token.
Technical Details
- CWE ID: CWE-287, CWE-345
- Attack Vector: Network
- CVSS v3.1: 3.1
- EPSS Score: 0.00012
- Impact: Unauthorized Resource Reconciliation
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- fluxcd/notification-controller (GCR Receiver type)
-
notification-controller: < 1.8.3 (Fixed in:
1.8.3)
Code Analysis
Commit: 61b0521
Core refactor of GCR Receiver to include identity validation using google.golang.org/api/idtoken
Mitigation Strategies
- Upgrade to notification-controller version 1.8.3
- Configure GCR Receiver Kubernetes Secrets with explicit email definitions
- Rotate existing webhook tokens
Remediation Steps:
- Update Flux components to release v1.8.3 or higher.
- Identify all GCR Receivers configured in the cluster.
- Update the Kubernetes Secret for each GCR Receiver to include an
emailkey matching the GCP Service Account email. - Optionally, add an
audiencekey to the Secret if custom audiences are configured in Pub/Sub. - Apply the Secret changes to the cluster via GitOps configuration.
References
- GitHub Advisory: GHSA-h9cx-xjg6-5v2w
- NVD Record: CVE-2026-40109
- IBM X-Force Vulnerability Database
- SentinelOne Database
Read the full report for CVE-2026-40109 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)