GHSA-4XH5-JCJ2-CH8Q
Vulnerability from github – Published: 2026-01-21 22:23 – Updated: 2026-01-22 15:40
VLAI?
Summary
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
Details
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges.
After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions.
Impact
- Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
- Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
- Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster
Attack Scenario
Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.
- Cluster admin configures OIDC authentication with a provider that does not include
emailorgroupsclaims in tokens - User authenticates with a valid token from that provider
- The default CEL expressions evaluate to empty values:
- Username:
has(claims.email) ? claims.email : ''→"" - Groups:
has(claims.groups) ? claims.groups : []→[] - Authentication succeeds (token signature is valid)
- A userClient is created with empty impersonation config
- All subsequent API requests bypass impersonation and execute as the flux-operator service account
- User gains operator-level read access across all namespaces
Patches
This vulnerability was fixed in Flux Operator v0.40.0.
Workarounds
The workaround is to make the email and groups claims required in the web config impersonation section.
Example config:
apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
baseURL: https://flux.example.com
authentication:
type: OAuth2
oauth2:
provider: OIDC
clientID: "<redacted>"
clientSecret: "<redacted>"
issuerURL: "https://login.microsoftonline.com/<redacted>/v2.0"
scopes: [openid, profile, email, offline_access]
impersonation:
username: claims.email
groups: claims.groups
References
See the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610
Credits
This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/controlplaneio-fluxcd/flux-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0.36.0"
},
{
"fixed": "0.40.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23990"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T22:23:33Z",
"nvd_published_at": "2026-01-21T23:15:52Z",
"severity": "MODERATE"
},
"details": "A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator\u0027s service account privileges.\n\nAfter OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account\u0027s credentials instead of the authenticated user\u0027s limited permissions.\n\n### Impact\n\n- **Privilege Escalation**: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions\n- **Data Exposure**: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions\n- **Information Disclosure**: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster\n\n### Attack Scenario\n\n**Prerequisite**: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values.\n\n1. Cluster admin configures OIDC authentication with a provider that does not include `email` or `groups` claims in tokens\n2. User authenticates with a valid token from that provider\n3. The default CEL expressions evaluate to empty values:\n - Username: `has(claims.email) ? claims.email : \u0027\u0027` \u2192 `\"\"`\n - Groups: `has(claims.groups) ? claims.groups : []` \u2192 `[]`\n4. Authentication succeeds (token signature is valid)\n5. A userClient is created with empty impersonation config\n6. All subsequent API requests bypass impersonation and execute as the flux-operator service account\n7. User gains operator-level read access across all namespaces\n\n### Patches\n\nThis vulnerability was fixed in Flux Operator v0.40.0.\n\n### Workarounds\n\nThe workaround is to make the `email` and `groups` claims required in the web config `impersonation` section.\n\nExample config:\n\n```yaml\napiVersion: web.fluxcd.controlplane.io/v1\nkind: Config\nspec:\n baseURL: https://flux.example.com\n authentication:\n type: OAuth2\n oauth2:\n provider: OIDC\n clientID: \"\u003credacted\u003e\"\n clientSecret: \"\u003credacted\u003e\"\n issuerURL: \"https://login.microsoftonline.com/\u003credacted\u003e/v2.0\"\n scopes: [openid, profile, email, offline_access]\n impersonation:\n username: claims.email\n groups: claims.groups\n```\n\n### References\n\nSee the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 \n\n### Credits\n\nThis vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.",
"id": "GHSA-4xh5-jcj2-ch8q",
"modified": "2026-01-22T15:40:22Z",
"published": "2026-01-21T22:23:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23990"
},
{
"type": "WEB",
"url": "https://github.com/controlplaneio-fluxcd/flux-operator/pull/610"
},
{
"type": "WEB",
"url": "https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e"
},
{
"type": "PACKAGE",
"url": "https://github.com/controlplaneio-fluxcd/flux-operator"
},
{
"type": "WEB",
"url": "https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…