VDB
GO-2026-4351
GO-2026-4351
PUBLISHED
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims in github.com/controlplaneio-fluxcd/flux-operator
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | controlplaneio-fluxcd/flux-operator | 0.36.0, 0.36.0 |
Timeline
- Feb 2, 2026 CVE Published
- Feb 4, 2026 CVE Updated
- May 1, 2026 Security Advisory
References
- https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-23990 advisory
- https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e patch
- https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 patch
- https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 url