+ "details": "A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges.\n\nAfter OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions.\n\n### Impact\n\n- **Privilege Escalation**: Any authenticated user can escalate to operator-level read permissions and perform suspend/resume/reconcile actions\n- **Data Exposure**: Unauthorized read access to Flux resources across all namespaces, bypassing RBAC restrictions\n- **Information Disclosure**: View sensitive GitOps pipeline configurations, source URLs, and deployment status across the entire cluster\n\n### Attack Scenario\n\n**Prerequisite**: Cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values.\n\n1. Cluster admin configures OIDC authentication with a provider that does not include `email` or `groups` claims in tokens\n2. User authenticates with a valid token from that provider\n3. The default CEL expressions evaluate to empty values:\n - Username: `has(claims.email) ? claims.email : ''` → `\"\"`\n - Groups: `has(claims.groups) ? claims.groups : []` → `[]`\n4. Authentication succeeds (token signature is valid)\n5. A userClient is created with empty impersonation config\n6. All subsequent API requests bypass impersonation and execute as the flux-operator service account\n7. User gains operator-level read access across all namespaces\n\n### Patches\n\nThis vulnerability was fixed in Flux Operator v0.40.0.\n\n### Workarounds\n\nThe workaround is to make the `email` and `groups` claims required in the web config `impersonation` section.\n\nExample config:\n\n```yaml\napiVersion: web.fluxcd.controlplane.io/v1\nkind: Config\nspec:\n baseURL: https://flux.example.com\n authentication:\n type: OAuth2\n oauth2:\n provider: OIDC\n clientID: \"<redacted>\"\n clientSecret: \"<redacted>\"\n issuerURL: \"https://login.microsoftonline.com/<redacted>/v2.0\"\n scopes: [openid, profile, email, offline_access]\n impersonation:\n username: claims.email\n groups: claims.groups\n```\n\n### References\n\nSee the Pull Request fixing this vulnerability https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 \n\n### Credits\n\nThis vulnerability was discovered by the Flux Operator maintainers during a debugging session with end-users.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments