Fluxcd Notification-Controller vulnerabilities

CVE-2026-40109 [LOW] CWE-287 CVE-2026-40109: Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolk Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Rec

CVE-2022-39272 [MEDIUM] CWE-1284 CVE-2022-39272: Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of