Github.Com Fluxcd Notification-Controller vulnerabilities

CVE-2026-40109 [LOW] CWE-287 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering ### Impact The `gcr` Receiver type in Flux notification-controller does not validate the `email` claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver

CVE-2022-39272 [MEDIUM] CWE-20 Improper use of metav1.Duration allows for Denial of Service Improper use of metav1.Duration allows for Denial of Service Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire