17 matches found
SUSE CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
EUVD-2026-21150
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...
GHSA-9H8M-3FM2-QJRQ vulnerabilities
Vulnerabilities for packages: kubescape-operator-fips, bank-vaults, cluster-api-provider-vsphere-fips, aws-node-termination-handler, kubevela, grafana-pyroscope, rancher-webhook, helm-operator-fips, gcsfuse, knative-kafka-broker-fips, ansible-operator-fips, cluster-api, jobset, ansible-operator,...
GHSA-7WRW-R4P8-38RX vulnerabilities
Vulnerabilities for packages: fluent-bit-plugin-loki, cass-operator, grpcurl, wait-for-port, swagger, frp, extism, configmap-reload, k8sgpt, kube-state-metrics, promxy, bank-vaults, thanos-operator, volume-modifier-for-k8s, flux-kustomize-controller, petname, gobuster, kor, nri-f5, vendir, tempo,...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: bank-vaults, protoc-gen-go-grpc, prometheus-blackbox-exporter, kube-oidc-proxy, kubevela, pulumi, dynamic-localpv-provisioner-fips, helm-operator-fips, temporal-ui-server, newrelic-nri-kube-events, gcsfuse, aws-efs-csi-driver, dagger, flux, goreleaser,...
GHSA-3F2Q-6294-FMQ5 vulnerabilities
Vulnerabilities for packages: melange, pulumi-kubernetes-operator, argo-events, snyk-cli, flux-notification-controller, task, argo-workflows, argo-events-fips...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: argo-events, snyk-cli, task, flux-notification-controller, argo-workflows, melange, pulumi-kubernetes-operator...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: melange, pulumi-kubernetes-operator, argo-events, snyk-cli, flux-notification-controller, task, argo-workflows, argo-events-fips...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: ipfs, spark-operator, aactl, falco, slsa-verifier, k3d, prometheus-blackbox-exporter, up, dgraph, buildkitd, cortex, kubescape, scorecard, src, kubeflow, terraform-provider-sendgrid, kubevela...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: slsa-verifier, prometheus-stackdriver-exporter, up, falco, aactl, prometheus-blackbox-exporter, kube-oidc-proxy, kubevela, scorecard, src, buildkitd, dgraph, dynamic-localpv-provisioner-fips, terraform-provider-sendgrid-fips, kubernetes-csi-livenessprobe-fips,...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: spark-operator, grpcurl, flux-source-controller, frp, nodetaint, pulumi-language-dotnet, flux-kustomize-controller, pulumi, kubescape, kubeflow, gobuster, nghttp2, cosign, bom, skaffold, external-dns, dex, cue, prometheus-adapter, hey, nginx-mainline, ko, nginx-stabl...