Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40109

CVE-2026-40109: Flux Notification-Controller Auth Bypass

CVE-2026-40109 is an authentication bypass flaw in Flux notification-controller that allows unauthorized reconciliations via Google OIDC tokens. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-40109 Overview

CVE-2026-40109 is an authentication bypass vulnerability in Flux notification-controller, the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to version 1.8.3, the gcr Receiver type does not properly validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This improper authentication allows any valid Google-issued token to authenticate against the Receiver webhook endpoint, potentially triggering unauthorized Flux reconciliations.

Critical Impact

Attackers with a valid Google-issued OIDC token and knowledge of the webhook URL can trigger unauthorized Flux reconciliations, though practical impact is limited by Flux's idempotent reconciliation behavior.

Affected Products

  • Flux notification-controller versions prior to 1.8.3
  • GitOps Toolkit deployments using gcr Receiver type with Google Pub/Sub push authentication
  • Kubernetes clusters running vulnerable notification-controller instances

Discovery Timeline

  • 2026-04-09 - CVE CVE-2026-40109 published to NVD
  • 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-40109

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287) exists in the gcr Receiver type of Flux notification-controller. The core issue is that the controller fails to validate the email claim within Google OIDC tokens when processing Pub/Sub push authentication requests. Without proper email claim verification, any valid Google-issued token can successfully authenticate to the webhook endpoint, regardless of whether the token belongs to an authorized service account or entity.

The vulnerability requires network access and knowledge of the target webhook URL. The webhook path is cryptographically generated using the formula /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. This design provides some inherent protection as there is no API or endpoint that enumerates webhook URLs.

While the vulnerability allows triggering unauthorized reconciliations, the practical impact is constrained by Flux's architecture. Reconciliation operations are idempotent, meaning if the desired state in configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, so sending many requests in a short period results in only a single reconciliation being processed.

Root Cause

The root cause is improper authentication validation in the gcr Receiver type. The notification-controller accepts Google OIDC tokens for Pub/Sub push authentication but fails to verify that the email claim in the token corresponds to an authorized identity. This missing validation step allows any entity with a valid Google-issued token to authenticate, bypassing the intended authorization controls.

Attack Vector

The attack vector requires network access to the notification-controller's webhook endpoint. An attacker must first obtain the target Receiver's webhook URL, which can be discovered by having cluster access with permissions to read the Receiver's .status.webhookPath in the target namespace, or by obtaining the URL through other means such as leaked secrets or access to Pub/Sub configuration.

Once the webhook URL is known, the attacker can send requests with any valid Google-issued OIDC token to trigger reconciliations for all resources listed in the Receiver's .spec.resources. The attack does not require any special privileges on the token itself—only that it be validly issued by Google.

Detection Methods for CVE-2026-40109

Indicators of Compromise

  • Unexpected reconciliation events in Flux controller logs without corresponding Git or source changes
  • Authentication requests to gcr Receiver webhook endpoints from unrecognized Google service accounts
  • Anomalous patterns of webhook requests that do not correlate with legitimate Pub/Sub activity
  • Multiple reconciliation triggers from different Google OIDC token identities

Detection Strategies

  • Monitor notification-controller logs for authentication events from Google OIDC tokens with unexpected email claims
  • Implement audit logging for all webhook endpoint access and compare against known authorized service accounts
  • Alert on reconciliation events that occur outside of expected CI/CD pipeline activity windows
  • Review Kubernetes audit logs for access to Receiver .status.webhookPath resources

Monitoring Recommendations

  • Enable verbose logging on notification-controller to capture authentication details including token email claims
  • Set up alerting for repeated reconciliation requests that are deduplicated by Flux controllers
  • Monitor for reconnaissance activity targeting Receiver resources or Kubernetes Secrets containing webhook tokens
  • Implement network monitoring to detect unusual traffic patterns to webhook endpoints

How to Mitigate CVE-2026-40109

Immediate Actions Required

  • Upgrade Flux notification-controller to version 1.8.3 or later immediately
  • Audit current Receiver configurations to identify gcr Receiver types using Google Pub/Sub push authentication
  • Review access controls on Kubernetes Secrets containing webhook tokens and Receiver resources
  • Rotate webhook tokens after upgrading to invalidate any potentially leaked URLs

Patch Information

The vulnerability is fixed in Flux notification-controller version 1.8.3. The fix implements proper validation of the email claim in Google OIDC tokens, ensuring only tokens from authorized identities can authenticate to the webhook endpoint. Organizations should upgrade to this version or later to remediate the vulnerability.

For detailed patch information, see the GitHub Pull Request #1279 and the v1.8.3 Release Notes. Additional security context is available in the GitHub Security Advisory GHSA-h9cx-xjg6-5v2w.

Workarounds

  • Restrict network access to notification-controller webhook endpoints using Kubernetes NetworkPolicies or service mesh policies
  • Implement additional authentication layers at the ingress level before traffic reaches the notification-controller
  • Monitor and alert on all gcr Receiver webhook activity until the upgrade can be completed
  • Consider temporarily disabling gcr Receiver types if they are not business-critical until patching is complete
bash
# Upgrade notification-controller to patched version
flux install --components=notification-controller --version=v1.8.3

# Verify the installed version
kubectl get deployment notification-controller -n flux-system -o jsonpath='{.spec.template.spec.containers[0].image}'

# Review existing Receiver configurations for gcr type
kubectl get receivers -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: {.spec.type}{"\n"}{end}' | grep gcr

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.