Vulnerability Reportfluxcd/flux-cli:v2.8.6

fluxcd/flux-cli:v2.8.6

DIGESTsha256:8dac34106b9d684ce07b13c9762b5132813c3d477cfd724e9e13cc5944ad771e

Executive Summary

Threat ScoreDANGEROUS• CVE-2026-45570 (severity 8.16) enables remote code execution when connecting to a malicious Git repository via SSH, a core function of this GitOps CLI.• 99 exposed vulnerabilities including 19 with CVSS >= 6.0 and 1 with CVSS >= 8.0, creating a large attack surface.• CVE-2026-34183 (severity 6.38) allows unbounded memory growth via QUIC PATH_CHALLENGE flooding, leading to denial of service.• CVE-2026-45022 (severity 6.38) allows malformed Git object parsing that could bypass commit signing verification.• Trust rating is high (90, POPULAR COMMUNITY) but does not compensate for the severe vulnerabilities present.

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (3M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution by sending a crafted Git repository to the Flux CLI via CVE-2026-45570, potentially compromising the host and connected systems. Note: CVE-2025-68121 (TLS certificate validation bypass) only applies if the application mutates TLS config between handshakes, which is not typical. Mitigation requires updating go-git to v5.19.1+ and OpenSSL to 3.5.7+ to address the most critical flaws; until then, deploying this image is unsafe.

Vulnerabilities

Vulnerability Log

110 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45570	HIGH8.16	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-68121	MEDIUM6.8	stdlib v1.25.5 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45022	MEDIUM6.38	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39829	MEDIUM6.38	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39830	MEDIUM6.38	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	golang.org/x/net v0.47.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-41506	MEDIUM6.29	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42508	MEDIUM6.29	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-46595	MEDIUM6.03	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.53.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39821	MEDIUM5.58	golang.org/x/net v0.47.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-35469	MEDIUM5.52	github.com/moby/spdystream v0.5.0 fixed in 0.5.1	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-61726	MEDIUM5.1	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-25679	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-61728	MEDIUM5.1	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34165	MEDIUM4.25	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.17.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-35206	LOW3.74	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.6-r0 fixed in 3.5.7-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.6-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33186	LOW2.78	google.golang.org/grpc v1.78.0 fixed in 1.79.3	0.5% Theoretical Threat	Post-Exploit
CVE-2026-32952	LOW2.7	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35204	LOW2.63	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35205	LOW2.39	helm.sh/helm/v4 v4.1.3 fixed in 4.1.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33762	LOW2.38	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.17.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29181	LOW2.29	go.opentelemetry.io/otel v1.36.0 fixed in 1.41.0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-44973	NONE0	github.com/go-git/go-billy/v5 v5.7.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-44740	NONE0	github.com/go-git/go-billy/v5 v5.7.0 fixed in 5.9.0	0.3% Theoretical Threat	Not Applicable
CVE-2026-45571	NONE0	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	0.3% Theoretical Threat	Not Applicable
GHSA-w5pp-99ch-qj29	NONE0	github.com/go-git/go-git/v5 v5.16.5 fixed in 5.19.1	—	Not Applicable
CVE-2026-39827	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.50.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.53.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.43.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.47.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.38.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable