Privilege Escalation Vulnerability in Flux Operator for Kubernetes
CVE-2026-23990

5.3MEDIUM

Key Information:

Vendor

Controlplaneio-fluxcd

Status
Flux-operator
Vendor
CVE Published:
21 January 2026

What is CVE-2026-23990?

The Flux Operator, a Kubernetes CRD controller, contains a vulnerability in its Web UI authentication code that can allow attackers to bypass Kubernetes RBAC impersonation. This occurs when administrators improperly configure the operator with an OIDC provider issuing tokens without necessary claims (like email or groups) or custom CEL expressions that may evaluate to empty values. The mishandling of these claims results in a failure to add necessary impersonation headers to API requests, allowing actions to be executed with the flux-operator service account's permissions rather than those of the authenticated user. This vulnerability can lead to unauthorized privilege escalation, exposing sensitive data and compromising security. The issue is addressed in version 0.40.0.

Affected Version(s)

flux-operator >= 0.36.0, < 0.40.0

References

https://github.com/controlplaneio-fluxcd/flux-operator/se...
x_refsource_CONFIRM
https://github.com/controlplaneio-fluxcd/flux-operator/pu...
x_refsource_MISC
https://github.com/controlplaneio-fluxcd/flux-operator/co...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.