CVE-2026-40109
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Description
### Impact The `gcr` Receiver type in Flux notification-controller does not validate the `email` claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as `/hook/sha256sum(token+name+namespace)`, where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's `.status.webhookPath` in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's `.spec.resources`. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. ### Patches The fix in notification-controller v1.8.3 refactors the GCR Receiver authentication to allow users to extend the verification to `email` and `audience` claims in the JWT. This enables operators to configure their Receiver's secret with the expected GCP Service Account email and audience, which the controller will validate against the token's claims before accepting the request. Email validation example: ```yaml apiVersion: v1 kind: Secret metadata: name: gcr-webhook-token namespace: apps type: Opaque stringData: token: <random token> email: <service-account>@<project>.iam.gserviceaccount.com audience: https://<hostname>/hook/<sha256(token+name+namespace)> ``` For more information, please see the GCR Receiver documentation: https://fluxcd.io/flux/components/notification/receivers/#gcr ### Credits Thanks to Saroj Khadka for reporting this issue to the Flux Security Team.
How to fix CVE-2026-40109
To remediate CVE-2026-40109, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.3 or later