CVE-2026-33211
published 2026-03-24CVE-2026-33211: Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1…
PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.57%
43.0th percentile
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tektoncd_pipeline | >= 1.0.0 < 1.0.1 | 1.0.1 |
| github.com | tektoncd_pipeline | >= 1.1.0 < 1.3.3 | 1.3.3 |
| github.com | tektoncd_pipeline | >= 1.10.0 < 1.10.2 | 1.10.2 |
| github.com | tektoncd_pipeline | >= 1.4.0 < 1.6.1 | 1.6.1 |
| github.com | tektoncd_pipeline | >= 1.7.0 < 1.9.2 | 1.9.2 |
| linuxfoundation | tekton_pipelines | — | — |
| linuxfoundation | tekton_pipelines | >= 1.1.0 < 1.3.3 | 1.3.3 |
| linuxfoundation | tekton_pipelines | >= 1.10.0 < 1.10.2 | 1.10.2 |
| linuxfoundation | tekton_pipelines | >= 1.4.0 < 1.6.1 | 1.6.1 |
| linuxfoundation | tekton_pipelines | >= 1.7.0 < 1.9.2 | 1.9.2 |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
| tektoncd | pipeline | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Path traversal attack vector: monitor `ResolutionRequest` objects (or `TaskRun`/`PipelineRun` resources using the git resolver) where the `pathInRepo` parameter contains path traversal sequences (e.g., `../`) to escape the repository root and access arbitrary filesystem paths on the resolver pod. ↗
- →Exfiltration indicator: file contents of arbitrary files (including ServiceAccount tokens) are returned base64-encoded in the `resolutionrequest.status.data` field — audit this field for unexpected or sensitive content. ↗
- →Audit creation of `ResolutionRequest` resources by non-admin tenants, especially those referencing the git resolver, as this is the required primitive to exploit the path traversal. ↗
- ·Vulnerable version range is Tekton Pipelines 1.0.0 up to (not including) the patched versions; patched releases are 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 — ensure deployed version falls outside the vulnerable range. ↗
- ·Restrict RBAC so that only trusted users and service accounts can create `ResolutionRequests`, `TaskRuns`, or `PipelineRuns` that invoke the git resolver, to reduce the attack surface. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline
osv·2026-03-23
CVE-2026-33211 Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod in github.com/tektoncd/pipeline
GHSA
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
ghsa·2026-03-18
CVE-2026-33211 [CRITICAL] CWE-22 Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
### Summary
The Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`.
### Details
The git resolver's `getFileContent()` function in `pkg/resolution/resolver/git/repository.go` constructs a file path by joining the repository clone directory with the user-supplied `pathInRepo` parameter:
```go
fileContents, err := os.ReadFile(filepath.Join(repo.di
OSV
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
osv·2026-03-18
CVE-2026-33211 [CRITICAL] Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
### Summary
The Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`.
### Details
The git resolver's `getFileContent()` function in `pkg/resolution/resolver/git/repository.go` constructs a file path by joining the repository clone directory with the user-supplied `pathInRepo` parameter:
```go
fileContents, err := os.ReadFile(filepath.Join(repo.di
Red Hat
Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
vendor_redhat·2026-03-23·CVSS 9.6
CVE-2026-33211 [CRITICAL] CWE-22 Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
A flaw was found in Tekton
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33211 Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
bugzilla·2026-03-24·CVSS 9.6
CVE-2026-33211 [CRITICAL] CVE-2026-33211 Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
CVE-2026-33211 Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
Wiz
CVE-2026-33211 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33211 [CRITICAL] CVE-2026-33211 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33211 :
Wolfi vulnerability analysis and mitigation
pathInRepo
ResolutionRequests
TaskRuns
PipelineRuns
resolutionrequest.status.data
Source : NVD
## 9.6
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tekton-chains-fips
tekton-pipelines-1.3
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
GoLang Severity CRITICAL Has Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687chttps://github.com/tektoncd/pipeline/commit/318006c4e3a5https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbdhttps://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75aehttps://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5ehttps://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3dbhttps://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5chttps://access.redhat.com/errata/RHSA-2026:10026https://access.redhat.com/errata/RHSA-2026:10066https://access.redhat.com/errata/RHSA-2026:10125https://access.redhat.com/errata/RHSA-2026:10155https://access.redhat.com/errata/RHSA-2026:10158https://access.redhat.com/errata/RHSA-2026:21931https://access.redhat.com/errata/RHSA-2026:21932https://access.redhat.com/errata/RHSA-2026:24484https://access.redhat.com/errata/RHSA-2026:6166https://access.redhat.com/errata/RHSA-2026:6170https://access.redhat.com/security/cve/CVE-2026-33211https://bugzilla.redhat.com/show_bug.cgi?id=2450554https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33211.json
2026-03-24
Published