Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

Description

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges.

After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions.

Impact

  • Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
  • Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
  • Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster

Attack Scenario

Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.

  1. Cluster admin configures OIDC authentication with a provider that does not include email or groups claims in tokens
  2. User authenticates with a valid token from that provider
  3. The default CEL expressions evaluate to empty values:
    - Username: has(claims.email) ? claims.email : ''""
    - Groups: has(claims.groups) ? claims.groups : [][]
  4. Authentication succeeds (token signature is valid)
  5. A userClient is created with empty impersonation config
  6. All subsequent API requests bypass impersonation and execute as the flux-operator service account
  7. User gains operator-level read access across all namespaces

Patches

This vulnerability was fixed in Flux Operator v0.40.0.

Workarounds

The workaround is to make the email and groups claims required in the web config impersonation section.

Example config:

apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
  baseURL: https://flux.example.com
  authentication:
    type: OAuth2
    oauth2:
      provider: OIDC
      clientID: "<redacted>"
      clientSecret: "<redacted>"
      issuerURL: "https://login.microsoftonline.com/<redacted>/v2.0"
      scopes: [openid, profile, email, offline_access]
      impersonation:
        username: claims.email
        groups: claims.groups

References

See the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610

Credits

This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-21 22:23:33 UTC
Updated
2026-01-22 15:40:25 UTC
GitHub reviewed
2026-01-21 22:23:33 UTC
NVD published
2026-01-21

EPSS Score

Score Percentile
0.07% 22.25%

CVSS Scores

Base score Version Severity Vector
5.3 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-269 Improper Privilege Management
CWE-862 Missing Authorization

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/controlplaneio-fluxcd/flux-operator >= 0.36.0, < 0.40.0 0.40.0

References

cvelogic Threat Intelligence