CVE-2026-40109

Name of the Vulnerable Software and Affected Versions Flux notification-controller versions prior to 1.8.3

Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. The gcr Receiver type does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token to authenticate against the Receiver webhook endpoint, potentially triggering unauthorized Flux reconciliations. Exploitation requires knowledge of the Receiver's webhook URL, which is generated as /hook/sha256sum(token+name+namespace). The controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources, but the practical impact is limited as Flux reconciliation is idempotent and deduplicates requests.

Recommendations Update to version 1.8.3 or later.