{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40109", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-09T21:06:59.688Z", "dateUpdated": "2026-04-14T15:02:39.499Z"}, "containers": {"cna": {"title": "Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w"}, {"name": "https://github.com/fluxcd/notification-controller/pull/1279", "tags": ["x_refsource_MISC"], "url": "https://github.com/fluxcd/notification-controller/pull/1279"}, {"name": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3"}], "affected": [{"vendor": "fluxcd", "product": "notification-controller", "versions": [{"version": "< 1.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:06:59.688Z"}, "descriptions": [{"lang": "en", "value": "Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3."}], "source": {"advisory": "GHSA-h9cx-xjg6-5v2w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:23:57.726750Z", "id": "CVE-2026-40109", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:02:39.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:23:57.726750Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:24:02.970Z"}}], "cna": {"title": "Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering", "source": {"advisory": "GHSA-h9cx-xjg6-5v2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "fluxcd", "product": "notification-controller", "versions": [{"status": "affected", "version": "< 1.8.3"}]}], "references": [{"url": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w", "name": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fluxcd/notification-controller/pull/1279", "name": "https://github.com/fluxcd/notification-controller/pull/1279", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3", "name": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:06:59.688Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40109", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:02:39.499Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:06:59.688Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. This vulnerability is fixed in 1.8.3."}], "id": "CVE-2026-40109", "lastModified": "2026-04-16T14:42:01.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T21:16:12.277", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fluxcd/notification-controller/pull/1279"}, {"source": "security-advisories@github.com", "url": "https://github.com/fluxcd/notification-controller/releases/tag/v1.8.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/fluxcd/notification-controller/security/advisories/GHSA-h9cx-xjg6-5v2w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "notification-controller", "source": "cna", "vendor": "fluxcd"}, "product": "notification-controller", "vendor": "fluxcd"}], "analysis": {"en": {"generated_at": "2026-04-09T22:52:32.900438+00:00", "value": {"mitigation_remediation": ["Update Flux notification-controller to version 1.8.3 or later.", "If an update is not immediately possible, restrict cluster permissions so that only trusted users can read Receiver status and secrets.", "Ensure that Pub/Sub push authentication is secured and that Google OIDC tokens are not broadly available.", "Monitor webhook activity and reconciliation logs for anomalous requests.", "Consider disabling or removing the GCR Receiver if it is not required in your environment."], "summary": {"action": "Patch", "impact": "Unauthorized reconcilation trigger"}, "threat_synthesis": {"affected_systems": "Flux CD notification-controller prior to release version 1.8.3 is affected. All deployments of the Flux notification-controller before that version are susceptible, regardless of the specific cluster configuration.", "description_and_impact": "The vulnerability resides in the GCR Receiver of Flux notification-controller, which fails to validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. Any valid Google\u2011issued token can authenticate against the Receiver webhook endpoint and cause the controller to initiate a reconciliation of all resources specified in the Receiver\u2019s configuration. In practice, because Flux reconciliation is idempotent and requests are deduplicated, the immediate effect is often a no\u2011op unless the source desired state has changed. Nonetheless, the ability to trigger reconciliations without authorization represents an unauthorized control surface and potential avenue for indirect impact if upstream sources are manipulated.", "risk_and_exploitability": "The CVSS v3.1 score for this issue is 3.1, indicating low severity. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, implying it is not widely exploited. Attackers must know the Receiver\u2019s webhook URL\u2014derived from a random token, secret name, and namespace\u2014and cannot enumerate it through an API. Therefore, exploitation requires either cluster access to read the Receiver status or otherwise obtain the leaked secret or Pub/Sub configuration. Given these constraints, the practical risk is low, but the issue still creates an unauthorized trigger that could be abused in conjunction with other changes to source repositories."}}}}, "created": "2026-04-10T08:38:20.484673+00:00", "updated": "2026-04-10T09:29:04.375844+00:00", "vendors": ["fluxcd", "fluxcd$PRODUCT$notification-controller"]}