What is CVE-2026-23990?

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. ### Impact - **Privilege Escalation**: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions - **Data Exposure**: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions - **Information Disclosure**: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster ### Attack Scenario **Prerequisite**: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. 1. Cluster admin configures OIDC authentication with a provider that does not include `email` or `groups` claims in tokens 2. User authenticates with a valid token from that provider 3. The default CEL expressions evaluate to empty values: - Username: `has(claims.email) ? claims.email : ''` → `""` - Groups: `has(claims.groups) ? claims.groups : []` → `[]` 4. Authentication succeeds (token signature is valid) 5. A userClient is created with empty impersonation config 6. All subsequent API requests bypass impersonation and execute as the flux-operator service account 7. User gains operator-level read access across all namespaces ### Patches This vulnerability was fixed in Flux Operator v0.40.0. ### Workarounds The workaround is to make the `email` and `groups` claims required in the web config `impersonation` section. Example config: ```yaml apiVersion: web.fluxcd.controlplane.io/v1 kind: Config spec: baseURL: https://flux.example.com authentication: type: OAuth2 oauth2: provider: OIDC clientID: " " clientSecret: " " issuerURL: "https://login.microsoftonline.com/ /v2.0" scopes: [openid, profile, email, offline_access] impersonation: username: claims.email groups: claims.groups ``` ### References See the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 ### Credits This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.

What is the severity of CVE-2026-23990?

CVE-2026-23990 has a CVSS v3 score of 5.3, which is classified as Medium severity.

Is there an exploit available for CVE-2026-23990?

No known public exploits are currently available for CVE-2026-23990.

Is there a patch available for CVE-2026-23990?

Yes, patches are available for CVE-2026-23990. Check the vendor advisories for update instructions.

CVE-2026-23990 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v35.3

CVSS v20.0

Priority Score182.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.3

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges.

After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions.

Impact

Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster

Attack Scenario

Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.

Cluster admin configures OIDC authentication with a provider that does not include email or groups claims in tokens
User authenticates with a valid token from that provider
The default CEL expressions evaluate to empty values:
- Username: has(claims.email) ? claims.email : '' → ""
- Groups: has(claims.groups) ? claims.groups : [] → []
Authentication succeeds (token signature is valid)
A userClient is created with empty impersonation config
All subsequent API requests bypass impersonation and execute as the flux-operator service account
User gains operator-level read access across all namespaces

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:High

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:Network

Availability:Network

Patch References

Github.com Github.com