CVE-2026-40923

Name of the Vulnerable Software and Affected Versions Tekton Pipelines versions prior to 1.11.1

Description A validation bypass in the VolumeMount path restriction allows mounting volumes under restricted '/tekton/' internal paths by using '..' path traversal components. The restriction check uses the strings.HasPrefix function without applying filepath.Clean, meaning a path such as '/tekton/home/../results' passes validation but resolves to '/tekton/results' at runtime. This occurs because '/tekton/home' is an allowed prefix, allowing the traversal to bypass the check. This issue exists in the container validation.go and task validation.go files. An authenticated user with Task or TaskRun creation permissions could exploit this to write fake task results, read or modify step scripts before execution, or interfere with entrypoint coordination state.

Recommendations Update to version 1.11.1. Use admission controllers such as OPA/Gatekeeper or Kyverno to validate that VolumeMount paths do not contain '..' components. Restrict permissions for creating Task and TaskRun resources via RBAC in multi-tenant environments.