Github.Com Tektoncd Pipeline vulnerabilities
8 known vulnerabilities affecting github.com/tektoncd_pipeline.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM4LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-33211P2CRITICAL≥ 1.0.0, < 1.0.1≥ 1.1.0, < 1.3.3+3 more2026-03-18
CVE-2026-33211 [CRITICAL] CWE-22 Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod
### Summary
The Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary file
ghsaosv
CVE-2026-40938P2HIGH≥ 1.0.0, < 1.11.12026-04-21
CVE-2026-40938 [HIGH] CWE-88 Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
## Summary
The git resolver's `revision` parameter is passed directly as a positional argument to `git fetch` without any validation that it does not begin with a `-` character. Because git parses flags from mixed positional arguments, an attacker can inj
ghsa
CVE-2026-40161P3HIGH≥ 1.0.0, ≤ 1.10.02026-04-21
CVE-2026-40161 [HIGH] CWE-201 Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
### Summary
The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled `serverURL` when the user omits the `token` parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API t
ghsa
CVE-2026-25542P3MEDIUM≥ 0.43.0, < 1.11.02026-04-21
CVE-2026-25542 [MEDIUM] CWE-185 Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
## Summary
The Trusted Resources verification system matches a resource source string (`refSource.URI`) against `spec.resources[].pattern` using Go's `regexp.MatchString`. In Go, `regexp.MatchString` reports a match if the pattern matches **anywhere** in the input string. As a result, common unanc
ghsa
CVE-2026-40924P3MEDIUM≥ 0, < 1.11.12026-04-21
CVE-2026-40924 [MEDIUM] CWE-400 Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion
## Summary
The HTTP resolver's `FetchHttpResource` function calls `io.ReadAll(resp.Body)` with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-c
ghsa
CVE-2026-33022P3MEDIUM≥ 0.60.0, < 1.0.1≥ 1.1.0, < 1.3.3+3 more2026-03-17
CVE-2026-33022 [MEDIUM] CWE-129 Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
### Summary
A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting `.spec.taskRef.resolver` (or `.spec.pipelineRef.resolver`) to a string of 31 characters or more, causing a denial of service for all reconciliation.
### Details
The contro
ghsaosv
CVE-2026-40923P4MEDIUM≥ 0, < 1.11.12026-04-21
CVE-2026-40923 [MEDIUM] CWE-22 Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check
## Summary
A validation bypass in the VolumeMount path restriction allows mounting volumes under restricted `/tekton/` internal paths by using `..` path traversal components. The restriction check uses `strings.HasPrefix` without `filepath.Clean`, so a path like `/tekt
ghsa
CVE-2023-37264P4LOW≥ 0.35.0, ≤ 0.52.02023-07-07
CVE-2023-37264 [LOW] CWE-345 Pipelines do not validate child UIDs
Pipelines do not validate child UIDs
### Summary
Pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task.
We should add UID to PipelineRun status and validate that child Run status/results only come from Runs matching the same UID.
### Details
While we [store and validate the PipelineRun's (api version
ghsaosv