CVE-2026-23990: Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
(updated )
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator’s service account privileges.
After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account’s credentials instead of the authenticated user’s limited permissions.
References
- github.com/advisories/GHSA-4xh5-jcj2-ch8q
- github.com/controlplaneio-fluxcd/flux-operator
- github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e
- github.com/controlplaneio-fluxcd/flux-operator/pull/610
- github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0
- github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q
- nvd.nist.gov/vuln/detail/CVE-2026-23990
Code Behaviors & Features
Detect and mitigate CVE-2026-23990 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →