CVE-2026-33022

Name of the Vulnerable Software and Affected Versions Tekton Pipelines versions 0.60.0 through 1.10.1

Description Tekton Pipelines is susceptible to a denial-of-service issue. A user with the ability to create TaskRun or PipelineRun resources can cause the Tekton Pipelines controller to crash by setting the .spec.taskRef.resolver or .spec.pipelineRef.resolver parameter to a string of 31 or more characters. The crash occurs because the GenerateDeterministicNameFromSpec function produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic results in a panic. This leads to a CrashLoopBackOff state, blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are not affected, but any custom resolver name triggers the issue. The function GenerateDeterministicNameFromSpec is involved in the crash.

Recommendations Versions prior to 1.0.1 are vulnerable. Versions 1.1.0 through 1.3.2 are vulnerable. Versions 1.4.0 through 1.6.0 are vulnerable. Versions 1.7.0 through 1.9.0 are vulnerable. Versions 1.10.0 and 1.10.1 are vulnerable. Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC.