Skip to main content

Kubernetes CVE-2026-40109

| EUVDEUVD-2026-21150 LOW
Improper Authentication (CWE-287)
2026-04-09 security-advisories@github.com GHSA-h9cx-xjg6-5v2w
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 21:22 euvd
EUVD-2026-21150
Analysis Generated
Apr 09, 2026 - 21:22 vuln.today
CVE Published
Apr 09, 2026 - 21:16 nvd
LOW 3.1

DescriptionGitHub Advisory

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3.

AnalysisAI

Flux notification-controller prior to version 1.8.3 fails to validate the email claim in Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to trigger unauthorized reconciliations via the gcr Receiver webhook endpoint. An attacker must know or discover the webhook URL (generated from a random token stored in a Kubernetes Secret) to exploit this vulnerability; however, practical impact is severely limited because Flux reconciliations are idempotent and deduplicated, meaning unauthorized requests result in no operational changes to cluster state unless the underlying Git/OCI/Helm sources have been modified.

Technical ContextAI

Flux notification-controller is a GitOps Toolkit component that validates incoming webhook events and dispatches reconciliation requests to other Flux controllers. The vulnerability exists in the gcr Receiver type, which authenticates Pub/Sub push notifications using Google OIDC tokens. The controller should validate that the token's email claim matches an expected identity before accepting the authentication, but prior to version 1.8.3 this validation was absent. This is a CWE-287 (Improper Authentication) issue. The webhook path is derived via SHA256(token+name+namespace), creating a URL-obfuscation layer that mitigates discoverability; however, the absence of email claim validation means any valid Google-issued OIDC token (issued to any Google account) can authenticate. Affected Kubernetes cluster administrators running notification-controller as a pod would be exposed if Pub/Sub push webhook URLs are leaked or accessible to attackers with read permissions on the target namespace's Receiver resource.

RemediationAI

Vendor-released patch: Flux notification-controller version 1.8.3 or later. Users should upgrade to v1.8.3 or newer, which adds proper validation of the email claim in Google OIDC tokens before accepting Pub/Sub push authentication. Upgrades can be performed via Helm (fluxcd/flux2 chart or direct notification-controller chart) or kustomize manifests. See the official release notes at https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3 and security advisory at https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w for detailed instructions. As a temporary workaround prior to upgrading, restrict network access to notification-controller webhook endpoints and ensure webhook URLs are not leaked via Git repositories, logs, or environment variable exposure.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-40109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy