Flux v2.8.2 released on 12-03-2026
Flux v2.8.2 is out now. It rebuilds all controllers with Go 1.26.1 to mitigate a TLS handshake Denial of Service (CVE-2026-27138), so operators should upgrade to receive the runtime fix.
See the full changelog on GitHub and follow the Upgrade Procedure for Flux v2.7+ for upgrade instructions: full changelog, Upgrade Procedure for Flux v2.7+.
What’s in this release
- Security: all controllers rebuilt with Go 1.26.1 to address a potential TLS handshake DoS (CVE-2026-27138).
- Helm controller fixes and reliability improvements — Helm bumped to 4.1.3 to fix a Go template/YAML separator bug where ‘—‘ could be concatenated with apiVersion; fixes for enqueuing reconciliation requests when sources emit events for a revision already being reconciled; new feature gate DefaultToRetryOnFailure to avoid cancelled HelmReleases getting stuck (improves behaviour when CancelHealthCheckOnNewRevision is enabled).
- Source and image controller fixes — ACR auth scope corrected to use the ACR-specific scope; image-reflector-controller and image-automation-controller bumped to v1.1.1; component updates include source-controller v1.8.1, kustomize-controller v1.8.2, notification-controller v1.8.2, helm-controller v1.5.2 and source-watcher v2.1.1.
Upgrade notes
- Users upgrading from v2.6+ should follow the documented Upgrade Procedure for Flux v2.7+ to ensure a smooth transition.
- If you need to review changes or consider a rollback, consult the full changelog and compare view; no special rollback steps are documented beyond normal controller management.
We welcome feedback — please share your upgrade experience and any issues encountered on the Flux GitHub discussions or issue tracker.