SCA: security update for github.com/controlplaneio-fluxcd/flux-operator (GHSA-4xh5-jcj2-ch8q)

medium Tenable Cloud Security Plugin ID 436882

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the
ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege
escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to
bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account
privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC
provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL
expressions that can evaluate to empty values. After OIDC token claims are processed through CEL
expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When
both values are empty, the Kubernetes client-go library does not add impersonation headers to API
requests, causing them to be executed with the flux-operator service account's credentials instead of the
authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or
information disclosure. Version 0.40.0 patches the issue. (CVE-2026-23990)

See Also

https://github.com/advisories/GHSA-4xh5-jcj2-ch8q

Plugin Details

Severity: Medium

ID: 436882

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/22/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-23990

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/21/2026

Reference Information

CVE: CVE-2026-23990