Perceptive Security
SOC/SIEM Consultancy
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, …
Published:
23 maart 2026 om 23:00:00
Alert date:
24 maart 2026 om 16:16:53
Source:
nvd.nist.gov
Cloud & Virtualization, Enterprise Applications
A path traversal vulnerability exists in Tekton Pipelines git resolver starting from version 1.0.0. The vulnerability allows tenants with ResolutionRequests permissions to read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens, through the pathInRepo parameter. File contents are returned base64-encoded in resolutionrequest.status.data. Multiple versions are affected including 1.0.0 through 1.10.1. Patches are available in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2.
Technical details
Mitigation steps:
Affected products:
Tekton Pipelines
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-33211
https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c
https://github.com/tektoncd/pipeline/commit/318006c4e3a5
https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd
https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae
https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e
https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db
https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78
https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.