CVE-2026-40109 — Improper Authentication in Notification-controller

CWE-287 — Improper Authentication CWE-345 — Insufficient Verification of Data Authenticity2 documents2 sources

Severity

3.1LOWNVD

EPSS

0.0%

top 98.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fluxcd Notification-controller Github.com Fluxcd Notification-controller

Timeline

PublishedApr 9

Latest updateApr 10

Description

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations. Exploitation requires the attacker to know the Receiver's webhook URL. The w…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5fluxcd/notification-controller< 1.8.3

▶Gogithub.com/fluxcd_notification-controller< 1.8.3

🔴Vulnerability Details

GHSA

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering↗2026-04-10

▶