Flux Operator

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-23990 MEDIUM PATCH This Month

Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.

Golang Kubernetes Privilege Escalation Information Disclosure Flux Operator +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23990
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.

Golang Kubernetes Privilege Escalation +3
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy