PT-2026-34008 · Unknown · Tekton Pipelines
Published
2026-04-21
·
Updated
2026-05-21
·
CVE-2026-40161
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Tekton Pipelines versions 1.0.0 through 1.10.0
Description
The git resolver in API mode sends the system-configured Git API token to a user-controlled 'serverURL' when the
token parameter is omitted. A tenant with TaskRun or PipelineRun create permissions can exfiltrate shared API tokens, such as GitHub PAT or GitLab tokens, by directing 'serverURL' to an attacker-controlled endpoint.Recommendations
Update Tekton Pipelines to a version later than 1.10.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tekton Pipelines