CVE-2026-40924

Name of the Vulnerable Software and Affected Versions Tekton Pipelines versions prior to 1.11.1

Description The HTTP resolver's FetchHttpResource() function reads response bodies without a size limit. A user with permissions to create TaskRuns or PipelineRuns can point the resolver to a malicious HTTP server that returns an excessively large response. This causes the tekton-pipelines-resolvers pod to be OOM-killed (Out Of Memory) by Kubernetes. Since all resolver types (Git, Hub, Bundle, Cluster, and HTTP) share the same pod, this results in a denial of service for the entire cluster's resolution service. Repeated exploitation can lead to a sustained crash loop.

Recommendations Update to version 1.11.1.