Flux Operator CVE-2026-23990: OIDC Impersonation Bypass Leading to Privilege Escalation

Key Information CVE ID: CVE-2026-23990 Affected Versions: Fixed Version: Severity: Medium (CVSS V3.1 base score: 5.3) Description A privilege escalation vulnerability exists, allowing attackers to bypass Kubernetes RBAC impersonation by using empty OIDC claims, and execute API requests with the operator's service account permissions. Impact Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform pause/resume/sync operations. Data Exposure: Bypass RBAC restrictions to access Flux resources across all namespaces without authorization. Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment statuses for the entire cluster. Attack Scenario Prerequisites: Cluster administrators must configure the Flux operator with an OIDC provider that does not include and claims, or configure a custom CEL expression that evaluates to an empty value. Attack Steps: 1. Configure a provider that does not include and claims. 2. User authenticates with a valid token. 3. The default CEL expression evaluates to an empty value. 4. Authentication succeeds (token signature is valid). 5. A with empty impersonation configuration is created. 6. All subsequent API requests are executed using the Flux operator service account credentials, bypassing impersonation. 7. The user gains operator-level read access across all namespaces. Fix The vulnerability has been fixed in Flux Operator v0.40.0. Mitigation Ensure that and claims are required in the section of the web configuration. References Pull Request fixing the vulnerability: #610 Acknowledgments This vulnerability was discovered by Flux operator maintainers during a debugging session with an end user.

Goal Reached Thanks to every supporter — we hit 100%!

Flux Operator CVE-2026-23990: OIDC Impersonation Bypass Leading to Privilege Escalation

More from this source