CVE-2026-33022
published 2026-03-20CVE-2026-33022: Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.37%
28.7th percentile
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tektoncd_pipeline | >= 0.60.0 < 1.0.1 | 1.0.1 |
| github.com | tektoncd_pipeline | >= 0.60.0 | — |
| github.com | tektoncd_pipeline | >= 1.1.0 < 1.3.3 | 1.3.3 |
| github.com | tektoncd_pipeline | >= 1.10.0 < 1.10.2 | 1.10.2 |
| github.com | tektoncd_pipeline | >= 1.4.0 < 1.6.1 | 1.6.1 |
| github.com | tektoncd_pipeline | >= 1.7.0 < 1.9.2 | 1.9.2 |
| linuxfoundation | tekton_pipelines | >= 0.60.0 < 1.0.1 | 1.0.1 |
| linuxfoundation | tekton_pipelines | >= 1.1.0 < 1.3.3 | 1.3.3 |
| linuxfoundation | tekton_pipelines | >= 1.10.0 < 1.10.2 | 1.10.2 |
| linuxfoundation | tekton_pipelines | >= 1.4.0 < 1.6.1 | 1.6.1 |
| linuxfoundation | tekton_pipelines | >= 1.7.0 < 1.9.2 | 1.9.2 |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun in github.com/tektoncd/pipeline
osv·2026-03-23
CVE-2026-33022 Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun in github.com/tektoncd/pipeline
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun in github.com/tektoncd/pipeline
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun in github.com/tektoncd/pipeline
GHSA
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
ghsa·2026-03-17
CVE-2026-33022 [MEDIUM] CWE-129 Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
### Summary
A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting `.spec.taskRef.resolver` (or `.spec.pipelineRef.resolver`) to a string of 31 characters or more, causing a denial of service for all reconciliation.
### Details
The controller panics in `GenerateDeterministicNameFromSpec` when building a deterministic `ResolutionRequest` name. The generated name has the format `{resolver}-{hash}` and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.
The truncation logic attempts to find a word boundary using `strings.LastIndex(name, " ")`. Since the generated name never contains spaces (it i
OSV
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
osv·2026-03-17
CVE-2026-33022 [MEDIUM] Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
### Summary
A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting `.spec.taskRef.resolver` (or `.spec.pipelineRef.resolver`) to a string of 31 characters or more, causing a denial of service for all reconciliation.
### Details
The controller panics in `GenerateDeterministicNameFromSpec` when building a deterministic `ResolutionRequest` name. The generated name has the format `{resolver}-{hash}` and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.
The truncation logic attempts to find a word boundary using `strings.LastIndex(name, " ")`. Since the generated name never contains spaces (it i
Red Hat
github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names
vendor_redhat·2026-03-20·CVSS 6.5
CVE-2026-33022 [MEDIUM] CWE-130 github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names
github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLo
No detection rules found.
No public exploits indexed.
2026-03-20
Published