PT-2026-3873 · Kubernetes+2 · Client-Go+2

Published

2026-01-21

·

Updated

2026-02-06

·

CVE-2026-23990

CVSS v3.1

5.3

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Flux Operator versions 0.36.0 through 0.39.9
Description The Flux Operator, a Kubernetes CRD controller, contains a flaw in its Web UI authentication code. This issue allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests using the operator's service account privileges. The problem arises when the Flux Operator is configured with an OIDC provider that issues tokens lacking expected claims like email and groups, or when custom CEL expressions evaluate to empty values. Specifically, a lack of validation for non-empty username and groups values after CEL expression processing causes the Kubernetes client-go library to omit impersonation headers. This results in API requests being executed with the flux-operator service account's credentials instead of the authenticated user's permissions. This can lead to privilege escalation, data exposure, and information disclosure. The impact includes unauthorized read access to Flux resources across all namespaces, potentially revealing sensitive GitOps pipeline configurations, source URLs, and deployment status. The attack requires cluster admins to have configured the Flux Operator in a specific manner, using an OIDC provider with missing claims or custom CEL expressions that result in empty values. The vulnerable component is the authentication code within the Flux Operator Web UI.
Recommendations Flux Operator versions 0.36.0 through 0.39.9 should be updated to version 0.40.0 or later. As a workaround, ensure the email and groups claims are required in the web config impersonation section. For example:
apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
 baseURL: https://flux.example.com
 authentication:
  type: OAuth2
  oauth2:
   provider: OIDC
   clientID: "<redacted>"
   clientSecret: "<redacted>"
   issuerURL: "https://login.microsoftonline.com/<redacted>/v2.0"
   scopes: [openid, profile, email, offline access]
   impersonation:
    username: claims.email
    groups: claims.groups

Exploit

Fix

LPE

Missing Authorization

Improper Privilege Management

Weakness Enumeration

CWE-862CWE-269

Related Identifiers

CVE-2026-23990
GHSA-4XH5-JCJ2-CH8Q
GO-2026-4351
SUSE-SU-2026:0403-1

Affected Products

Flux-Operator
Kubernetes
Client-Go