Skip to content

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

Moderate severity GitHub Reviewed Published Jan 21, 2026 in controlplaneio-fluxcd/flux-operator • Updated Jan 22, 2026

Package

gomod github.com/controlplaneio-fluxcd/flux-operator (Go)

Affected versions

>= 0.36.0, < 0.40.0

Patched versions

0.40.0

Description

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges.

After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions.

Impact

  • Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
  • Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
  • Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster

Attack Scenario

Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.

  1. Cluster admin configures OIDC authentication with a provider that does not include email or groups claims in tokens
  2. User authenticates with a valid token from that provider
  3. The default CEL expressions evaluate to empty values:
    • Username: has(claims.email) ? claims.email : ''""
    • Groups: has(claims.groups) ? claims.groups : [][]
  4. Authentication succeeds (token signature is valid)
  5. A userClient is created with empty impersonation config
  6. All subsequent API requests bypass impersonation and execute as the flux-operator service account
  7. User gains operator-level read access across all namespaces

Patches

This vulnerability was fixed in Flux Operator v0.40.0.

Workarounds

The workaround is to make the email and groups claims required in the web config impersonation section.

Example config:

apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
  baseURL: https://flux.example.com
  authentication:
    type: OAuth2
    oauth2:
      provider: OIDC
      clientID: "<redacted>"
      clientSecret: "<redacted>"
      issuerURL: "https://login.microsoftonline.com/<redacted>/v2.0"
      scopes: [openid, profile, email, offline_access]
      impersonation:
        username: claims.email
        groups: claims.groups

References

See the Pull Request fixing this vulnerability controlplaneio-fluxcd/flux-operator#610

Credits

This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.

References

@stefanprodan stefanprodan published to controlplaneio-fluxcd/flux-operator Jan 21, 2026
Published to the GitHub Advisory Database Jan 21, 2026
Reviewed Jan 21, 2026
Published by the National Vulnerability Database Jan 21, 2026
Last updated Jan 22, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(10th percentile)

Weaknesses

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

CVE ID

CVE-2026-23990

GHSA ID

GHSA-4xh5-jcj2-ch8q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.