Flux | v2.8.2

Flux v2.8.2 released on 12-03-2026


Flux v2.8.2 is out now. It rebuilds all controllers with Go 1.26.1 to mitigate a TLS handshake Denial of Service (CVE-2026-27138), so operators should upgrade to receive the runtime fix.

See the full changelog on GitHub and follow the Upgrade Procedure for Flux v2.7+ for upgrade instructions: full changelog, Upgrade Procedure for Flux v2.7+.

What’s in this release

  • Security: all controllers rebuilt with Go 1.26.1 to address a potential TLS handshake DoS (CVE-2026-27138).
  • Helm controller fixes and reliability improvements — Helm bumped to 4.1.3 to fix a Go template/YAML separator bug where ‘—‘ could be concatenated with apiVersion; fixes for enqueuing reconciliation requests when sources emit events for a revision already being reconciled; new feature gate DefaultToRetryOnFailure to avoid cancelled HelmReleases getting stuck (improves behaviour when CancelHealthCheckOnNewRevision is enabled).
  • Source and image controller fixes — ACR auth scope corrected to use the ACR-specific scope; image-reflector-controller and image-automation-controller bumped to v1.1.1; component updates include source-controller v1.8.1, kustomize-controller v1.8.2, notification-controller v1.8.2, helm-controller v1.5.2 and source-watcher v2.1.1.

Upgrade notes

We welcome feedback — please share your upgrade experience and any issues encountered on the Flux GitHub discussions or issue tracker.

Related posts

Agentic AI still needs domain judgement

Agentic AI can write the thing, but it still cannot tell you whether the thing is right. That is where domain expertise matters, because a clean config or neat bit of glue logic can still be wrong in...

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...