SUSE CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

EUVD-2026-21150

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

PT-2026-31735

Name of the Vulnerable Software and Affected Versions Flux notification-controller versions prior to 1.8.3 Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. The gcr Receiver type does not validate the email claim of...

notification-controller 数据伪造问题漏洞

Notification-Controller is a GitOps notification controller open source in the Flux project. Versions of Notification-Controller prior to 1.8.3 had a data manipulation vulnerability. This vulnerability stemmed from the lack of verification of the email claim for Google OIDC tokens, which could...

GHSA-9H8M-3FM2-QJRQ vulnerabilities

Vulnerabilities for packages: cluster-api-aws-controller-fips, spicedb, helm-operator-fips, trivy, containerd-fips, livekit-cli, secrets-store-csi-driver-provider-gcp-fips, gitlab-operator-fips, prometheus-mongodb-exporter-fips, argo-cd-fips, cass-operator-fips, prometheus-alertmanager,...

GHSA-7WRW-R4P8-38RX vulnerabilities

Vulnerabilities for packages: grafana-rollout-operator, gostatsd, git-credential-oauth, kaf, spire-controller-manager, ctop, nri-f5, postgres-operator, harbor-scanner-trivy, kserve, elvish, octo-sts, kafka-proxy, xcaddy, secrets-store-csi-driver-provider-gcp, wait-for-port, kubernetes-replicator,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: spicedb, helm-operator-fips, kube-bench, trivy, terraform-provider-azurerm, kor, prometheus-mongodb-exporter-fips, kubeadm-controlplane-controller, aws-load-balancer-controller, apisix-ingress-controller, cass-operator-fips, prometheus-alertmanager,...

GHSA-3F2Q-6294-FMQ5 vulnerabilities

Vulnerabilities for packages: argo-events, snyk-cli, pulumi-kubernetes-operator, melange, task, argo-events-fips, argo-workflows, flux-notification-controller...

CVE-2023-46402 vulnerabilities

Vulnerabilities for packages: melange, flux-notification-controller, task, snyk-cli, argo-events, argo-workflows, pulumi-kubernetes-operator...

CVE-2023-46402 vulnerabilities

Vulnerabilities for packages: argo-events, snyk-cli, pulumi-kubernetes-operator, melange, task, argo-events-fips, argo-workflows, flux-notification-controller...

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: cortex, spark-operator, scorecard, ipfs, src, dgraph, buildkitd, kubeflow, k3d, falco, kubescape, kubevela, slsa-verifier, aactl, up, prometheus-blackbox-exporter, terraform-provider-sendgrid...

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: terraform-provider-sendgrid-fips, kubescape, scorecard, ipfs, falcoctl-fips, conftest-fips, smarter-device-manager-fips, kiam, kubevela, vault-csi-provider, falco, slsa-verifier, cortex, kubernetes-csi-livenessprobe, kubeflow-fips, dgraph, aws-efs-csi-driver-fips,...