CVE-2026-23990 – The Flux Operator Web UI authentication vulnera... (How to Fix)

Q: What is the severity of CVE-2026-23990?

CVE-2026-23990 has a CVSS score of 5.3 (MEDIUM). The Flux Operator Web UI authentication vulnerability allows attackers to bypass Kubernetes RBAC impersonation when OIDC tokens lack expected claims or CEL expressions evaluate to empty values. This enables API requests to execute with the flux-operator service account's elevated privileges instead of the authenticated user's limited permissions. Affected are Flux Operator versions 0.36.0 through 0.39.0 configured with specific OIDC setups.

📋 TL;DR

The Flux Operator Web UI authentication vulnerability allows attackers to bypass Kubernetes RBAC impersonation when OIDC tokens lack expected claims or CEL expressions evaluate to empty values. This enables API requests to execute with the flux-operator service account's elevated privileges instead of the authenticated user's limited permissions. Affected are Flux Operator versions 0.36.0 through 0.39.0 configured with specific OIDC setups.

💻 Affected Systems

Products:

Flux Operator

Versions: 0.36.0 through 0.39.0

Operating Systems: Any Kubernetes platform

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured with OIDC provider that issues tokens lacking expected claims (email, groups) or custom CEL expressions that evaluate to empty values.

📦 What is this software?

Flux Operator by Control Plane

View all CVEs affecting Flux Operator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full cluster compromise where attacker gains flux-operator service account privileges, potentially allowing deployment of malicious workloads, data exfiltration, or disruption of Flux-managed applications.

🟠

Likely Case

Privilege escalation leading to unauthorized access to Flux-managed resources, configuration changes, or exposure of sensitive deployment information.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal service account permissions, and monitoring of flux-operator API calls.

🌐 Internet-Facing: MEDIUM - Requires OIDC authentication bypass, but if Web UI is exposed externally, risk increases significantly.

🏢 Internal Only: HIGH - Internal attackers with network access to the Flux Operator Web UI can exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to Flux Operator Web UI and specific OIDC configuration conditions. Attacker must understand Kubernetes RBAC and OIDC token structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.40.0

Vendor Advisory: https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q

Restart Required: Yes

Instructions:

1. Update Flux Operator to version 0.40.0 or later. 2. Apply the updated manifests. 3. Restart the flux-operator deployment. 4. Verify the new version is running.

🔧 Temporary Workarounds

Disable OIDC authentication

all

Temporarily disable OIDC authentication for Flux Operator Web UI until patching is complete.

kubectl edit deployment flux-operator -n flux-system
Remove or comment OIDC configuration in the deployment spec

Restrict network access

all

Limit network access to Flux Operator Web UI using NetworkPolicies or firewall rules.

kubectl apply -f network-policy.yaml (with appropriate restrictions)

🧯 If You Can't Patch

Ensure OIDC tokens always contain required claims (email, groups) and CEL expressions never evaluate to empty values.
Implement strict Kubernetes RBAC with minimal permissions for flux-operator service account and monitor its API calls.

🔍 How to Verify

Check if Vulnerable:

Check Flux Operator version: kubectl get deployment flux-operator -n flux-system -o jsonpath='{.spec.template.spec.containers[0].image}'. If version is between 0.36.0 and 0.39.0 and OIDC is configured, you may be vulnerable.

Check Version:

kubectl get deployment flux-operator -n flux-system -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'

Verify Fix Applied:

Confirm version is 0.40.0 or later and test OIDC authentication with tokens lacking claims to ensure proper impersonation headers are added.

📡 Detection & Monitoring

Log Indicators:

API requests from flux-operator service account without proper impersonation headers
Authentication failures followed by successful API calls with elevated privileges

Network Indicators:

Unusual API call patterns from flux-operator pod
Requests to Kubernetes API without expected user impersonation

SIEM Query:

kubernetes.pod.name:flux-operator AND kubernetes.event:api_request AND NOT kubernetes.user.impersonated:*

📊 Metadata

CVE ID: CVE-2026-23990

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-269

EPSS Score: 0.04% exploit probability (10.1th percentile)

Published: January 21, 2026

Last Updated: March 6, 2026

🔗 References

https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e Patch
https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 Issue Tracking,Patch
https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 Product,Release Notes
https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23990, you might also want to check these: