GHSA-H9CX-XJG6-5V2W

Vulnerability from github – Published: 2026-04-10 20:18 – Updated: 2026-04-10 20:18
VLAI?
Summary
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Details

Impact

The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations.

Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config).

Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed.

Patches

The fix in notification-controller v1.8.3 refactors the GCR Receiver authentication to allow users to extend the verification to email and audience claims in the JWT. This enables operators to configure their Receiver's secret with the expected GCP Service Account email and audience, which the controller will validate against the token's claims before accepting the request.

Email validation example:

apiVersion: v1
kind: Secret
metadata:
  name: gcr-webhook-token
  namespace: apps
type: Opaque
stringData:
  token: <random token>
  email: <service-account>@<project>.iam.gserviceaccount.com
  audience: https://<hostname>/hook/<sha256(token+name+namespace)>

For more information, please see the GCR Receiver documentation: https://fluxcd.io/flux/components/notification/receivers/#gcr

Credits

Thanks to Saroj Khadka for reporting this issue to the Flux Security Team.

Severity ?
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/notification-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:18:16Z",
    "nvd_published_at": "2026-04-09T21:16:12Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe `gcr` Receiver type in Flux notification-controller does not validate the `email` claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations.\n\nExploitation requires the attacker to know the Receiver\u0027s webhook URL. The webhook path is generated as `/hook/sha256sum(token+name+namespace)`, where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver\u0027s `.status.webhookPath` in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config).\n\nUpon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver\u0027s `.spec.resources`. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed.\n\n### Patches\n\nThe fix in notification-controller v1.8.3 refactors the GCR Receiver authentication to allow users to extend the verification to `email` and `audience` claims in the JWT. This enables operators to configure their Receiver\u0027s secret with the expected GCP Service Account email and audience, which the controller will validate against the token\u0027s claims before accepting the request.\n\nEmail validation example:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: gcr-webhook-token\n  namespace: apps\ntype: Opaque\nstringData:\n  token: \u003crandom token\u003e\n  email: \u003cservice-account\u003e@\u003cproject\u003e.iam.gserviceaccount.com\n  audience: https://\u003chostname\u003e/hook/\u003csha256(token+name+namespace)\u003e\n```\n\nFor more information, please see the GCR Receiver documentation: https://fluxcd.io/flux/components/notification/receivers/#gcr\n\n\n### Credits\n\nThanks to Saroj Khadka for reporting this issue to the Flux Security Team.",
  "id": "GHSA-h9cx-xjg6-5v2w",
  "modified": "2026-04-10T20:18:16Z",
  "published": "2026-04-10T20:18:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/notification-controller/pull/1279"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/notification-controller"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.