CVE-2026-40109
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
描述
### Impact The `gcr` Receiver type in Flux notification-controller does not validate the `email` claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as `/hook/sha256sum(token+name+namespace)`, where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's `.status.webhookPath` in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config). Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's `.spec.resources`. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed. ### Patches The fix in notification-controller v1.8.3 refactors the GCR Receiver authentication to allow users to extend the verification to `email` and `audience` claims in the JWT. This enables operators to configure their Receiver's secret with the expected GCP Service Account email and audience, which the controller will validate against the token's claims before accepting the request. Email validation example: ```yaml apiVersion: v1 kind: Secret metadata: name: gcr-webhook-token namespace: apps type: Opaque stringData: token: <random token> email: <service-account>@<project>.iam.gserviceaccount.com audience: https://<hostname>/hook/<sha256(token+name+namespace)> ``` For more information, please see the GCR Receiver documentation: https://fluxcd.io/flux/components/notification/receivers/#gcr ### Credits Thanks to Saroj Khadka for reporting this issue to the Flux Security Team.
如何修補 CVE-2026-40109
要修補 CVE-2026-40109,請將受影響套件升級到下列已修補版本。
- —升級至 1.8.3 或更新版本