Fix CVE-2026-40109 (#386)

matheuscscp · web-flow · commit 87fb6d6e6d97 · 2026-04-13T11:58:01.000+01:00
Signed-off-by: Matheus Pimenta &lt;matheuscscp@gmail.com&gt;
diff --git a/releases/release-v2.6.trivyignore b/releases/release-v2.6.trivyignore
@@ -1,3 +1,6 @@
 # justification: vulnerable_code_not_in_execute_path
 CVE-2025-66506
 CVE-2025-66564
+
+# status: fixed (backported via patch; false positive from pseudo-version semver)
+CVE-2026-40109
diff --git a/releases/release-v2.7.trivyignore b/releases/release-v2.7.trivyignore
@@ -1,3 +1,6 @@
 # justification: vulnerable_code_not_in_execute_path
 CVE-2025-66506
 CVE-2025-66564
+
+# status: fixed (backported via patch; false positive from pseudo-version semver)
+CVE-2026-40109
diff --git a/vex/v2.6.json b/vex/v2.6.json
@@ -132,6 +132,19 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "The vulnerable code is not executed by Flux"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2026-40109"
+      },
+      "timestamp": "2026-04-13T10:00:00Z",
+      "products": [
+        {
+          "@id": "pkg:oci/notification-controller"
+        }
+      ],
+      "status": "fixed",
+      "impact_statement": "False positive: the fix for this vulnerability has been backported to the Enterprise Flux v2.6 release branch of notification-controller via a patch and is included in the shipped binary. Trivy flags this based on the pseudo-version of the Go module being lower than the upstream fixed version (1.8.3), but the vulnerable code path is not present in the binary."
     }
   ]
 }
diff --git a/vex/v2.7.json b/vex/v2.7.json
@@ -188,6 +188,19 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "The vulnerable code is not executed by Flux"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2026-40109"
+      },
+      "timestamp": "2026-04-13T10:00:00Z",
+      "products": [
+        {
+          "@id": "pkg:oci/notification-controller"
+        }
+      ],
+      "status": "fixed",
+      "impact_statement": "False positive: the fix for this vulnerability has been backported to the Enterprise Flux v2.7 release branch of notification-controller via a patch and is included in the shipped binary. Trivy flags this based on the pseudo-version of the Go module being lower than the upstream fixed version (1.8.3), but the vulnerable code path is not present in the binary."
     }
   ]
 }
