cbcvebase.
CVE-2026-33211
published 2026-03-24

CVE-2026-33211: Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1…

PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.57%
43.0th percentile
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.

Affected

15 ranges
VendorProductVersion rangeFixed in
github.comtektoncd_pipeline>= 1.0.0 < 1.0.11.0.1
github.comtektoncd_pipeline>= 1.1.0 < 1.3.31.3.3
github.comtektoncd_pipeline>= 1.10.0 < 1.10.21.10.2
github.comtektoncd_pipeline>= 1.4.0 < 1.6.11.6.1
github.comtektoncd_pipeline>= 1.7.0 < 1.9.21.9.2
linuxfoundationtekton_pipelines
linuxfoundationtekton_pipelines>= 1.1.0 < 1.3.31.3.3
linuxfoundationtekton_pipelines>= 1.10.0 < 1.10.21.10.2
linuxfoundationtekton_pipelines>= 1.4.0 < 1.6.11.6.1
linuxfoundationtekton_pipelines>= 1.7.0 < 1.9.21.9.2
tektoncdpipeline
tektoncdpipeline
tektoncdpipeline
tektoncdpipeline
tektoncdpipeline

Detection & IOCsextracted from sources · hover to see the quote

  • Path traversal attack vector: monitor `ResolutionRequest` objects (or `TaskRun`/`PipelineRun` resources using the git resolver) where the `pathInRepo` parameter contains path traversal sequences (e.g., `../`) to escape the repository root and access arbitrary filesystem paths on the resolver pod.
  • Exfiltration indicator: file contents of arbitrary files (including ServiceAccount tokens) are returned base64-encoded in the `resolutionrequest.status.data` field — audit this field for unexpected or sensitive content.
  • Audit creation of `ResolutionRequest` resources by non-admin tenants, especially those referencing the git resolver, as this is the required primitive to exploit the path traversal.
  • ·Vulnerable version range is Tekton Pipelines 1.0.0 up to (not including) the patched versions; patched releases are 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 — ensure deployed version falls outside the vulnerable range.
  • ·Restrict RBAC so that only trusted users and service accounts can create `ResolutionRequests`, `TaskRuns`, or `PipelineRuns` that invoke the git resolver, to reduce the attack surface.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.