Browse all 9 CVE security advisories affecting fluxcd. AI-powered Chinese analysis, POCs, and references for each vulnerability.
FluxCD is an open-source GitOps toolkit for automating container infrastructure deployments. Historically, it has been vulnerable to multiple remote code execution (RCE) flaws, cross-site scripting (XSS), privilege escalation, and insecure default configurations. These vulnerabilities often stem from improper input validation, insecure deserialization, and insufficient access controls. Notable security incidents include CVE-2023-25165, which allowed RCE through the notification controller, and CVE-2023-27452, enabling privilege escalation via the Helm controller. While FluxCD provides declarative GitOps workflows, its complex architecture and multiple components create potential attack surfaces requiring careful configuration and regular updates to mitigate risks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40109 | Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering — notification-controllerCWE-287 | 3.1 | Low | 2026-04-09 |
This page lists every published CVE security advisory associated with fluxcd. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.