Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode s…

CVE-2026-40161 affects Tekton Pipelines versions 1.0.0 to 1.10.0, where the git resolver in API mode improperly sends system-configured Git API tokens to user-controlled serverURL endpoints when the token parameter is omitted. Attackers with TaskRun or PipelineRun create permissions can exploit this vulnerability to exfiltrate shared API tokens including GitHub PATs and GitLab tokens by redirecting the serverURL to attacker-controlled endpoints. This represents a significant credential exposure risk in CI/CD environments using Tekton Pipelines.