36 matches found
CVE-2026-23990
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
CVE-2026-23990
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
CVE-2026-23990
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
CVE-2026-23990
CVE-2026-23990 affects the Flux Operator Web UI in Flux CD/ControlPlane prior to 0.40.0. The issue is a privilege-escalation through an impersonation bypass when OIDC tokens provide empty/invalid claims that CEL expressions can evaluate to empty; then Kubernetes client-go fails to add impersonati...
CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
CVE-2026-23990 Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...
EUVD-2026-4140
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...
GHSA-4XH5-JCJ2-CH8Q Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...
PT-2026-3873
Name of the Vulnerable Software and Affected Versions Flux Operator versions 0.36.0 through 0.39.9 Description The Flux Operator, a Kubernetes CRD controller, contains a flaw in its Web UI authentication code. This issue allows an attacker to bypass Kubernetes RBAC impersonation and execute API...
Flux-Operator security vulnerabilities
Flux-Operator is a lifecycle management software developed by ControlPlane Enterprise for Flux CD. Versions of Flux-Operator from 0.36.0 to 0.40.0 contained security vulnerabilities. These vulnerabilities stemmed from the Web UI authentication code not verifying whether the generated username and...
GHSA-8PJC-487G-W6P2 vulnerabilities
Vulnerabilities for packages: argo-events, eck-operator, fzf, rancher-system-agent, rabbitmq-messaging-topology-operator, emissary, mattermost, docker-credential-gcr, cg, flux, kor, src, zot, nuclei, tigera-operator, nodetaint, timescaledb-tune, gobump, swagger, chart-testing, gobuster,...