17 matches found
SUSE CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
EUVD-2026-21150
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...
GHSA-9H8M-3FM2-QJRQ vulnerabilities
Vulnerabilities for packages: rke2-cloud-provider-fips, commercial-grafana, tkn-fips, falcoctl, azcopy, descheduler-fips, k9s, kubernetes-csi-external-attacher-fips, sops-fips, buildkitd, longhorn-manager, jobset-fips, flyte, opencost-fips, kubernetes-csi-external-resizer-fips, containerd,...
GHSA-7WRW-R4P8-38RX vulnerabilities
Vulnerabilities for packages: sbom-convert, falcosidekick, prometheus-adapter, slsa-verifier, yq, mockery, k9s, kubernetes-csi-driver-hostpath, go-licenses, sftpgo-plugin-eventstore, docker-compose, wave, k8ssandra-operator, bazelisk, sftpgo-plugin-eventsearch, flux, flux-source-controller,...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: nodetaint, pulumi, falcoctl, crossplane-provider-aws-lambda, k9s, rclone, buildkitd, prometheus-node-exporter, protoc-gen-go-grpc, secrets-store-csi-driver, ipfs, spark-operator, hugo-extended, cfssl, kyverno-policy-reporter, crossplane-provider-aws-firehose,...
GHSA-3F2Q-6294-FMQ5 vulnerabilities
Vulnerabilities for packages: argo-workflows, argo-events-fips, pulumi-kubernetes-operator, task, flux-notification-controller, argo-events, melange, snyk-cli...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: argo-events, melange, flux-notification-controller, task, snyk-cli, pulumi-kubernetes-operator, argo-workflows...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: argo-workflows, argo-events-fips, pulumi-kubernetes-operator, task, flux-notification-controller, argo-events, melange, snyk-cli...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: buildkitd, src, slsa-verifier, kubescape, k3d, cortex, spark-operator, up, dgraph, falco, kubeflow, ipfs, kubevela, prometheus-blackbox-exporter, aactl, terraform-provider-sendgrid, scorecard...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: prometheus-stackdriver-exporter, terraform-provider-sendgrid-fips, dynamic-localpv-provisioner-fips, smarter-device-manager-fips, falcoctl-fips, src, cortex, slsa-verifier, buildkitd, scorecard, falco, cluster-autoscaler-fips, prometheus-adapter-fips, up, aactl,...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: ko, flux-kustomize-controller, ollama, metacontroller, dynamic-localpv-provisioner, kots, prometheus-adapter, slsa-verifier, hey, nodetaint, fuse-overlayfs-snapshotter, node-problem-detector, nghttp2, secrets-store-csi-driver, nats, envoy-ratelimit, weaviate,...