Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.

INFO

Published Date :

2026-04-21T20:47:47.178Z

Last Modified :

2026-04-22T13:21:28.680Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40924 vulnerability.

Vendors Products
Tektoncd
  • Pipeline
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40924.

URL Resource
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 cve-icon cve-icon
https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact