CVE-2026-23990

The Invisible Man: Bypassing Flux Operator Auth via Empty Claims

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 22, 2026·6 min read·2 visits

Executive Summary (TL;DR)

The Flux Operator failed to validate empty results from OIDC CEL expressions. When a user provides empty identity claims, the operator attempts to impersonate 'nobody', causing the Kubernetes client to default to the operator's own service account. This turns a low-privilege user into a cluster admin.

A logic flaw in the Flux Operator's Web UI OIDC authentication allows authenticated users to bypass impersonation mechanisms. By presenting empty OIDC claims, an attacker can trick the system into falling back to the highly privileged service account of the operator itself.

Official Patches

controlplaneio-fluxcdPull Request #610 fixing the impersonation bypass

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Systems

Flux Operator Web UI

Affected Versions Detail

Product
Affected Versions
Fixed Version
flux-operator
controlplaneio-fluxcd
>= 0.36.0, < 0.40.00.40.0
AttributeDetail
CWE IDCWE-269
Attack VectorNetwork
CVSS5.3 (Medium)
ImpactPrivilege Escalation
PlatformKubernetes
Libraryclient-go

MITRE ATT&CK Mapping

T1078Valid Accounts
Initial Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-269
Improper Privilege Management

Improper Privilege Management

Vulnerability Timeline

Vulnerability Published
2026-01-21
Patch Released (v0.40.0)
2026-01-21