CNNVD-202601-3331 Information

Jan 21, 2026 cve

CNNVD ID

CNNVD-202601-3331

CVE-2026-23990

CNNVD Published: 2026-01-21

Description (Chinese)

flux-operator是ControlPlane Enterprise for Flux CD开源的一个生命周期管理软件。 flux-operator 0.36.0版本至0.40.0之前版本存在安全漏洞，该漏洞源于Web UI身份验证代码未验证生成的username和groups值是否为空，可能导致权限提升。

Description (English)

Flux-oporator is a life-cycle management software for the Open Source of the Flux CD. There is a security loophole in previous versions of flux-peprator 0.36.0 to 0.40.0, which stems from the fact that the Web UI identification code does not verify whether the generated username and groups are empty, which may lead to an increase in privileges.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

ControlPlane Enterprise for Flux CD

Published

2026-01-21

Last Modified

2026-02-24

References

https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 https://access.redhat.com/security/cve/cve-2026-23990

Patch

https://github.com/controlplaneio-fluxcd/flux-operator/releases

Share on: