PatchSiren cyber security CVE debrief

CVE-2026-40161 tektoncd CVE debrief

Published 2026-04-21 and updated 2026-05-21, CVE-2026-40161 affects Tekton Pipelines git resolver behavior in API mode. If a tenant can create a TaskRun or PipelineRun and the token parameter is omitted, the resolver may send the system-configured Git API token to a user-controlled serverURL, enabling token exfiltration. The vendor-fixed releases are 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1.

Vendor: tektoncd
Product: pipeline
CVSS: HIGH 7.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-21
Original CVE updated: 2026-05-21
Advisory published: 2026-04-21
Advisory updated: 2026-05-21

Who should care

Tekton cluster operators, platform/security teams running multi-tenant CI/CD, and any environment that lets untrusted users create TaskRun or PipelineRun objects while using a shared Git API token.

Technical summary

In API mode, Tekton Pipelines' git resolver can forward the system-configured Git API token to the serverURL supplied by the user when the token parameter is omitted. That creates a confidentiality issue because a user with TaskRun or PipelineRun create permission can point the resolver at an attacker-controlled endpoint and capture the shared Git credential. NVD metadata classifies the issue as CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N and references CWE-201.

Defensive priority

High; prioritize immediately in any shared or multi-tenant Tekton deployment, especially where Git API tokens are centrally configured and tenants can create runs.

Recommended defensive actions

Upgrade Tekton Pipelines to a fixed release matching your branch: 1.0.2, 1.3.4, 1.6.2, 1.9.3, or 1.11.1.
Review any pipeline or task definitions that use the git resolver in API mode and ensure token handling is explicit and consistent with the fixed release behavior.
Restrict who can create TaskRun and PipelineRun resources, especially in shared clusters or namespaces.
Audit for shared Git API tokens and rotate them if you suspect they may have been exposed.
Check resolver and admission controls for user-supplied serverURL values, and apply additional policy or egress restrictions where appropriate.

Evidence notes

The supplied vendor advisory text says the issue exists starting in 1.0.0 and before 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1. NVD metadata for the same CVE references GitHub issue tracking and the vendor advisory, and its CPE criteria list Tekton Pipelines as vulnerable from 1.0.0 through 1.10.0; use the vendor advisory's branch-specific fix versions when planning upgrades. NVD also records the weakness as CWE-201 and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Official resources

CVE-2026-40161 CVE record
CVE.org
CVE-2026-40161 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the supplied CVE record on 2026-04-21; the record was modified on 2026-05-21.