Unauthenticated Reconciliation Trigger in Flux Notification-Controller by Weakened OIDC Token Validation
CVE-2026-40109

3.1LOW

Key Information:

Vendor

Fluxcd

Status
Notification-controller
Vendor
CVE Published:
9 April 2026

What is CVE-2026-40109?

The Flux notification-controller, responsible for event forwarding and notification dispatching in GitOps workflows, has a vulnerability due to inadequate validation of email claims in Google OIDC tokens. Prior to version 1.8.3, this weakness allows attackers to potentially authenticate against the Receiver webhook endpoint using any valid Google-issued token. The implications of this vulnerability include triggering unauthorized reconciliations of resources as specified by the Receiver. The risks are somewhat mitigated since Flux's reconciliation process is idempotent, meaning that unless the desired state of resources configured in the source has changed, there is no effect on the actual cluster state. The specific webhook URLs remain obscured unless the attacker has access to the Kubernetes cluster to read sensitive configurations. This security issue was addressed in version 1.8.3.

Affected Version(s)

notification-controller < 1.8.3

References

https://github.com/fluxcd/notification-controller/securit...
x_refsource_CONFIRM
https://github.com/fluxcd/notification-controller/pull/1279
x_refsource_MISC
https://github.com/fluxcd/notification-controller/release...
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.