Flux v2.8.8 released on 20-05-2026

Flux v2.8.8 is out now. It delivers security fixes and dependency hygiene—most notably an update to go-git v5.19.1 addressing CVE-2026-45571 and CVE-2026-45570 that affect source-controller and image-automation-controller—and a set of reliability and registry improvements across helm-controller and source-controller.
Read the full changelog on GitHub and follow the Upgrade Procedure for Flux v2.7+ for upgrade guidance: full changelog · Upgrade Procedure for Flux v2.7+
What’s in this release
- go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 (affects source-controller and image-automation-controller)
- helm-controller v1.5.5: configurable HTTP timeout for artifact fetching, fix for unbounded memory growth in the Kubernetes client transport retry wrapper, stop force-applying non-CRD objects in a chart’s crds/ directory, fix Helm test failures for release names longer than 53 characters, and Helm moved back to upstream v4.2.0
- source-controller v1.8.5 and image controllers: improved source reconciler path handling, support for Helm semver build-metadata in OCIRepository tags, support for GCP sovereign cloud artifact registries, and Kubernetes client dependencies upgraded to 1.36.1
Upgrade notes
- No breaking changes are reported in the release notes; users are strongly encouraged to upgrade to pick up the CVE fixes and dependency updates—see the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from v2.6.
- Component diffs are available in the full changelog; consult those links for component-level rollback guidance if you need to revert specific controllers: compare v2.8.7…v2.8.8
Share any feedback or reports of issues on the Flux GitHub discussions or issue trackers so others can benefit from your experience.


