Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, …

CVE-2026-33211 affects Tekton Pipelines git resolver in versions 1.0.0 through multiple branches prior to patched versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. The vulnerability allows path traversal attacks via the pathInRepo parameter, enabling tenants with ResolutionRequest creation permissions to read arbitrary files from the resolver pod's filesystem. This includes sensitive ServiceAccount tokens, with file contents returned base64-encoded in resolutionrequest.status.data. The vulnerability can be exploited by creating TaskRuns or PipelineRuns that use the git resolver. Multiple patched versions are available across different release branches.