Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.

INFO

Published Date :

2026-04-21T20:45:24.658Z

Last Modified :

2026-04-22T18:36:16.790Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40938 vulnerability.

Vendors Products
Tektoncd
  • Pipeline
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40938.

URL Resource
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 cve-icon cve-icon
https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact