Summary
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Credits
Thanks to Saroj Khadka for reporting this issue to the Flux Security Team.
Impact
The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations.
Exploitation requires the attacker to know the Receiver's webhook URL. The webhook path is generated as /hook/sha256sum(token+name+namespace), where the token is a random string stored in a Kubernetes Secret. There is no API or endpoint that enumerates webhook URLs. An attacker cannot discover the path without either having access to the cluster and permissions to read the Receiver's .status.webhookPath in the target namespace, or obtaining the URL through other means (e.g. leaked secrets or access to Pub/Sub config).
Upon successful authentication, the controller triggers a reconciliation for all resources listed in the Receiver's .spec.resources. However, the practical impact is limited: Flux reconciliation is idempotent, so if the desired state in the configured sources (Git, OCI, Helm) has not changed, the reconciliation results in a no-op with no effect on cluster state. Additionally, Flux controllers deduplicate reconciliation requests, sending many requests in a short period results in only a single reconciliation being processed.
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
CVE-2026-40109 has a CVSS score of 3.1 (Low). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.8.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The fix in notification-controller v1.8.3 refactors the GCR Receiver authentication to allow users to extend the verification to email and audience claims in the JWT. This enables operators to configure their Receiver's secret with the expected GCP Service Account email and audience, which the controller will validate against the token's claims before accepting the request.
Email validation example:
apiVersion: v1
kind: Secret
metadata:
name: gcr-webhook-token
namespace: apps
type: Opaque
stringData:
token: <random token>
email: <service-account>@<project>.iam.gserviceaccount.com
audience: https://<hostname>/hook/<sha256(token+name+namespace)>
For more information, please see the GCR Receiver documentation: https://fluxcd.io/flux/components/notification/receivers/#gcr
Frequently Asked Questions
- What is CVE-2026-40109? CVE-2026-40109 is a low-severity improper authentication vulnerability in github.com/fluxcd/notification-controller (go), affecting versions < 1.8.3. It is fixed in 1.8.3. The application does not adequately verify the identity of a user, device, or process before granting access.
- How severe is CVE-2026-40109? CVE-2026-40109 has a CVSS score of 3.1 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/fluxcd/notification-controller are affected by CVE-2026-40109? github.com/fluxcd/notification-controller (go) versions < 1.8.3 is affected.
- Is there a fix for CVE-2026-40109? Yes. CVE-2026-40109 is fixed in 1.8.3. Upgrade to this version or later.
- Is CVE-2026-40109 exploitable, and should I be worried? Whether CVE-2026-40109 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40109 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40109? Upgrade
github.com/fluxcd/notification-controllerto 1.8.3 or later.