Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 2026/04/10 8:18 p.m.5 views

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

3.1CVSS5.8AI score0.00127EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/10 8:18 p.m.2 views

GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

3.1CVSS5.8AI score0.00127EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/09 10:10 p.m.4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication for Google OIDC tokens in the GCR Receiver webhook endpoint. An attacker can trigger unauthorized reconciliation of resources by presenting any valid Google-issued...

6.3CVSS5.8AI score0.00127EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:6 p.m.2 views

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

3.1CVSS5.9AI score0.00127EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/09 9:6 p.m.21 views

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

3.1CVSS0.00127EPSS
Exploits0References3
Rows per page
Query Builder