Lucene search
K

36 matches found

RedhatCVE
RedhatCVE
added 2026/01/22 11:24 p.m.6 views

CVE-2026-23990

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References1
NVD
NVD
added 2026/01/21 11:15 p.m.7 views

CVE-2026-23990

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS0.00303EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/01/21 10:25 p.m.2 views

CVE-2026-23990

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.6AI score0.00303EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/01/21 10:25 p.m.5 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6
CVE
CVE
added 2026/01/21 10:25 p.m.15 views

CVE-2026-23990

CVE-2026-23990 affects the Flux Operator Web UI in Flux CD/ControlPlane prior to 0.40.0. The issue is a privilege-escalation through an impersonation bypass when OIDC tokens provide empty/invalid claims that CEL expressions can evaluate to empty; then Kubernetes client-go fails to add impersonati...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/21 10:25 p.m.2 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/21 10:25 p.m.19 views

CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...

5.3CVSS0.00303EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/21 10:23 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...

6CVSS5.7AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/21 10:23 p.m.2 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...

6CVSS5.7AI score0.00303EPSS
Exploits0References2
EUVD
EUVD
added 2026/01/21 10:23 p.m.6 views

EUVD-2026-4140

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims...

5.3CVSS5.4AI score0.00303EPSS
Exploits0References6
Snyk
Snyk
added 2026/01/21 10:23 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...

6CVSS5.7AI score0.00303EPSS
Exploits0References2
OSV
OSV
added 2026/01/21 10:23 p.m.4 views

GHSA-4XH5-JCJ2-CH8Q Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/01/21 10:23 p.m.9 views

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.7 views

PT-2026-3873

Name of the Vulnerable Software and Affected Versions Flux Operator versions 0.36.0 through 0.39.9 Description The Flux Operator, a Kubernetes CRD controller, contains a flaw in its Web UI authentication code. This issue allows an attacker to bypass Kubernetes RBAC impersonation and execute API...

5.3CVSS5.5AI score0.00303EPSS
Exploits0References12
CNNVD
CNNVD
added 2026/01/21 12:0 a.m.7 views

Flux-Operator security vulnerabilities

Flux-Operator is a lifecycle management software developed by ControlPlane Enterprise for Flux CD. Versions of Flux-Operator from 0.36.0 to 0.40.0 contained security vulnerabilities. These vulnerabilities stemmed from the Web UI authentication code not verifying whether the generated username and...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References5
Chainguard
Chainguard
added 2025/09/24 2:18 p.m.9 views

GHSA-8PJC-487G-W6P2 vulnerabilities

Vulnerabilities for packages: argo-events, eck-operator, fzf, rancher-system-agent, rabbitmq-messaging-topology-operator, emissary, mattermost, docker-credential-gcr, cg, flux, kor, src, zot, nuclei, tigera-operator, nodetaint, timescaledb-tune, gobump, swagger, chart-testing, gobuster,...

6.1AI score
Exploits0
Rows per page
Query Builder