Perceptive Security
SOC/SIEM Consultancy
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode s…
Published:
20 April 2026 at 22:00:00
Alert date:
21 April 2026 at 18:10:28
Source:
nvd.nist.gov
Cloud & Virtualization, Supply Chain & Dependencies, Data Breach & Exfiltration
CVE-2026-40161 affects Tekton Pipelines versions 1.0.0 to 1.10.0, where the git resolver in API mode improperly sends system-configured Git API tokens to user-controlled serverURL endpoints when the token parameter is omitted. Attackers with TaskRun or PipelineRun create permissions can exploit this vulnerability to exfiltrate shared API tokens including GitHub PATs and GitLab tokens by redirecting the serverURL to attacker-controlled endpoints. This represents a significant credential exposure risk in CI/CD environments using Tekton Pipelines.
Technical details
Mitigation steps:
Affected products:
Tekton Pipelines
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-40161
https://github.com/tektoncd/pipeline/issues/9608
https://github.com/tektoncd/pipeline/issues/9609
https://github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.