Headline
GHSA-4xh5-jcj2-ch8q: Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator’s service account privileges.
After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account’s credentials instead of the authenticated user’s limited permissions.
Impact
- Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
- Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
- Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster
Attack Scenario
Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.
- Cluster admin configures OIDC authentication with a provider that does not include
emailorgroupsclaims in tokens - User authenticates with a valid token from that provider
- The default CEL expressions evaluate to empty values:
- Username:
has(claims.email) ? claims.email : ''→"" - Groups:
has(claims.groups) ? claims.groups : []→[]
- Username:
- Authentication succeeds (token signature is valid)
- A userClient is created with empty impersonation config
- All subsequent API requests bypass impersonation and execute as the flux-operator service account
- User gains operator-level read access across all namespaces
Patches
This vulnerability was fixed in Flux Operator v0.40.0.
Workarounds
The workaround is to make the email and groups claims required in the web config impersonation section.
Example config:
apiVersion: web.fluxcd.controlplane.io/v1
kind: Config
spec:
baseURL: https://flux.example.com
authentication:
type: OAuth2
oauth2:
provider: OIDC
clientID: "<redacted>"
clientSecret: "<redacted>"
issuerURL: "https://login.microsoftonline.com/<redacted>/v2.0"
scopes: [openid, profile, email, offline_access]
impersonation:
username: claims.email
groups: claims.groups
References
See the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610
Credits
This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator’s service account privileges.
After OIDC token claims are processed through CEL expressions, there is no validation that the resulting username and groups values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account’s credentials instead of the authenticated user’s limited permissions.
Impact
- Privilege Escalation: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions
- Data Exposure: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions
- Information Disclosure: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster
Attack Scenario
Prerequisite: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., email, groups), or configure custom CEL expressions that can evaluate to empty values.
- Cluster admin configures OIDC authentication with a provider that does not include email or groups claims in tokens
- User authenticates with a valid token from that provider
- The default CEL expressions evaluate to empty values:
- Username: has(claims.email) ? claims.email : ‘’ → “”
- Groups: has(claims.groups) ? claims.groups : [] → []
- Authentication succeeds (token signature is valid)
- A userClient is created with empty impersonation config
- All subsequent API requests bypass impersonation and execute as the flux-operator service account
- User gains operator-level read access across all namespaces
Patches
This vulnerability was fixed in Flux Operator v0.40.0.
Workarounds
The workaround is to make the email and groups claims required in the web config impersonation section.
Example config:
apiVersion: web.fluxcd.controlplane.io/v1 kind: Config spec: baseURL: https://flux.example.com authentication: type: OAuth2 oauth2: provider: OIDC clientID: “<redacted>” clientSecret: “<redacted>” issuerURL: “https://login.microsoftonline.com/<redacted>/v2.0” scopes: [openid, profile, email, offline_access] impersonation: username: claims.email groups: claims.groups
References
See the Pull Request fixing this vulnerability controlplaneio-fluxcd/flux-operator#610
Credits
This vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.
References
- GHSA-4xh5-jcj2-ch8q
- controlplaneio-fluxcd/flux-operator#610
- controlplaneio-fluxcd/flux-operator@0845404
- https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0