Flux Notification-Controller GCR Receiver Email Validation Vulnerability Allows Unauthorized Reconciliation

A vulnerability exists in Flux notification-controller versions prior to 1.8.3, specifically within the GCR Receiver type. The issue arises because the receiver does not validate the email claim in Google OIDC tokens used for Pub/Sub push authentication. This oversight allows any valid Google-issued token to authenticate with the receiver's webhook endpoint, triggering unauthorized reconciliations in Flux. Exploitation requires knowledge of the receiver's webhook URL, which is generated based on a token stored in a Kubernetes Secret. Without access to the cluster or leaked information, an attacker cannot easily discover this URL. While successful exploitation triggers reconciliations for specified resources, the practical impact is limited due to Flux's idempotent reconciliation process and its ability to deduplicate requests.

Impact

Exploitation of this vulnerability allows for unauthorized triggering of Flux reconciliations via the GCR Receiver webhook, potentially disrupting the intended GitOps workflow, although the actual impact on the cluster state may be minimal due to Flux's reconciliation idempotency and request deduplication.

Remediation

Users can upgrade to Flux notification-controller version 1.8.3, which includes a patch for this vulnerability by refactoring the GCR Receiver authentication to validate the email and audience claims in the JWT. Operators can configure their receiver's secret with the expected GCP Service Account email for validation. For more information, refer to the GCR Receiver documentation on the Flux website.