25 matches found
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-s3, kyverno, guac, traefik, flux-image-automation-controller, terragrunt, k3s, tkn, dagger, nfpm, falcoctl, atlantis, containerd, cilium-cli, step-issuer, step-kms-plugin, tw, loki, policy-controller, crossplane-provider-family-azure,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: kyverno, guac, flux-image-automation-controller, terragrunt, k3s, tkn, dagger, nfpm, falcoctl, atlantis, containerd, cilium-cli, step-issuer, step-kms-plugin, loki, policy-controller, crossplane-provider-family-azure, argocd-image-updater, pulumi-language-java,...
CVE-2026-41178 vulnerabilities
Vulnerabilities for packages: traefik, coredns, kyverno, blob-csi, hydra, tailscale, trivy, flux-image-automation-controller, linkerd2, dagdotdev, k3s, tkn, dagger, falcoctl, grafana, jitsucom-bulker, containerd, calico, flux-helm-controller, kube-logging-operator, kuberay-operator, step-issuer,...
GHSA-5WRP-CWCJ-Q835 vulnerabilities
Vulnerabilities for packages: traefik, coredns, kyverno, blob-csi, hydra, tailscale, trivy, flux-image-automation-controller, linkerd2, dagdotdev, k3s, tkn, dagger, falcoctl, grafana, jitsucom-bulker, containerd, calico, flux-helm-controller, kube-logging-operator, kuberay-operator, step-issuer,...
SUSE CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
EUVD-2026-21150
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...
GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
PT-2026-31735
Name of the Vulnerable Software and Affected Versions Flux notification-controller versions prior to 1.8.3 Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. The gcr Receiver type does not validate the email claim of...
notification-controller 数据伪造问题漏洞
Notification-Controller is a GitOps notification controller open source in the Flux project. Versions of Notification-Controller prior to 1.8.3 had a data manipulation vulnerability. This vulnerability stemmed from the lack of verification of the email claim for Google OIDC tokens, which could...
GHSA-9H8M-3FM2-QJRQ vulnerabilities
Vulnerabilities for packages: cloudprober, beats-fips, src, conftest, gatekeeper, cass-operator, grafana, kubernetes-csi-external-provisioner, cerbos, loki, gomplate, seaweedfs, teleport-operator-fips, cri-tools, envoy-gateway-fips, azure-service-operator, minio-fips, vitess,...
GHSA-7WRW-R4P8-38RX vulnerabilities
Vulnerabilities for packages: postgres-operator, flux-image-automation-controller, dagdotdev, volume-modifier-for-k8s, delve, sftpgo-plugin-geoipfilter, trillian, multus-cni, atlantis, vault-k8s, yunikorn-web, gcp-compute-persistent-disk-csi-driver, policy-controller, prometheus-blackbox-exporter...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: logstash-exporter-fips, sonobuoy, src, conftest, mc, prometheus-operator-fips, cass-operator, prometheus-blackbox-exporter, kubernetes-csi-external-provisioner, flux-image-automation-controller, gomplate, supercronic, prometheus-beat-exporter-fips,...
GHSA-3F2Q-6294-FMQ5 vulnerabilities
Vulnerabilities for packages: pulumi-kubernetes-operator, snyk-cli, argo-events-fips, argo-workflows, flux-notification-controller, melange, argo-events, task...