CVE-2026-25542 tektoncd CVE debrief

Who should care

Teams operating Tekton Pipelines, especially anyone using trusted resource verification policies, regex-based resource patterns, or supply-chain controls in CI/CD pipelines.

Technical summary

The vulnerability affects Tekton Pipelines from 0.43.0 through 1.11.0. Policy selection compares refSource.URI to spec.resources[].pattern via regexp.MatchString. Because MatchString searches for a match anywhere in the string, unanchored patterns can be satisfied by a substring inside an attacker-controlled URI. That can cause an unintended trusted-resource policy match and alter the verification behavior applied to the resource.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Tekton Pipelines to a fixed release containing commit b8905600322aa86327baae0a7c04d6cf1207362a or later.
• Review all trusted resource patterns and anchor regexes so they match the full intended URI rather than substrings.
• Re-test verification policies against representative attacker-controlled and malformed source strings.
• Audit any pipelines that rely on trusted resource verification to confirm the intended keys and modes are selected.
• Track the vendor advisory GHSA-rmx9-2pp3-xhcr and the NVD record for remediation guidance.

Evidence notes

The CVE and NVD record identify affected versions 0.43.0–1.11.0, the use of regexp.MatchString in policy matching, and CWE-185. Official references include the Tekton patch commit b8905600322aa86327baae0a7c04d6cf1207362a and the vendor advisory GHSA-rmx9-2pp3-xhcr. The CVE was published on 2026-04-21 and modified on 2026-05-01.

Official resources