Summary
Source controller: Improper path handling allows traversal
Workarounds
There is no in-product workaround. Users should upgrade to a patched version.
As a defense-in-depth measure for the GitRepository sparse-checkout surface, a ValidatingAdmissionPolicy (or a third-party policy engine such as Kyverno or OPA Gatekeeper) can be deployed to reject GitRepository resources whose .spec.sparseCheckout entries contain .. or absolute path segments.
References
Credits
The path traversal in the Bucket reconciler was reported by JUNYI LIU. The path traversal in the GitRepository sparse-checkout validation was found and patched by the Flux engineering team.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the source-controller repository.
- Contact us at the CNCF Flux Channel.
Impact
An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory.
The corruption surface is bounded by source-controller's own and downstream Flux controllers' digest verification: source-controller verifies stored artifact digests during reconciliation and rebuilds on divergence; consumers (kustomize-controller, helm-controller) verify the digest of fetched artifacts and reject mismatches. These checks prevent a manipulated artifact from reaching the cluster, but an attacker can still write files anywhere the source-controller pod has permission to write.
Separately, a user with permission to create or update GitRepository resources can cause source-controller to test for the existence of paths outside the cloned repository. Because the result is exposed via the resource's status, this allows limited enumeration of file paths on the controller pod. This surface exists only on source-controller v1.6.0 and later, where the sparse-checkout feature was introduced.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
This vulnerability was fixed in source-controller v1.8.5.
Frequently Asked Questions
- What is CVE-2026-47680? CVE-2026-47680 is a medium-severity security vulnerability in github.com/fluxcd/source-controller (go), affecting versions >= 0.0.17, <= 1.8.4. It is fixed in 1.8.5.
- Which versions of github.com/fluxcd/source-controller are affected by CVE-2026-47680? github.com/fluxcd/source-controller (go) versions >= 0.0.17, <= 1.8.4 is affected.
- Is there a fix for CVE-2026-47680? Yes. CVE-2026-47680 is fixed in 1.8.5. Upgrade to this version or later.
- Is CVE-2026-47680 exploitable, and should I be worried? Whether CVE-2026-47680 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-47680 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-47680? Upgrade
github.com/fluxcd/source-controllerto 1.8.5 or later.