CVE-2026-40923 tektoncd CVE debrief

Who should care

Operators and maintainers running Tekton Pipelines versions earlier than 1.11.1, especially in environments that rely on path restrictions for VolumeMounts under /tekton internal paths.

Technical summary

The weakness is a validation flaw: the restriction logic checks whether a path starts with the expected /tekton prefix using strings.HasPrefix, but does not normalize the path first with filepath.Clean. Because of that, traversal sequences like .. can let an attacker present a path that appears allowed during validation while resolving to a restricted internal location at runtime. NVD maps the issue to CWE-22 and gives it CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4).

Defensive priority

Medium. The issue requires low privileges and has no availability impact, but it can affect confidentiality and integrity within the scope of the containerized pipeline environment.

Recommended defensive actions

• Upgrade Tekton Pipelines to version 1.11.1 or later.
• Review pipeline definitions and volume mount paths for any use of .. traversal components.
• Validate that any path-based allowlist or restriction logic in your Tekton-related automation normalizes paths before comparing them.
• After upgrading, re-test workload definitions that depend on /tekton path restrictions to confirm the fix behaves as expected.

Evidence notes

The CVE description states that the flaw exists prior to 1.11.1 and is caused by a path restriction check that uses strings.HasPrefix without filepath.Clean, allowing /tekton/home/../results to pass validation and resolve to /tekton/results. NVD marks the record as analyzed and lists CWE-22 with CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The supplied official references point to the Tekton 1.11.1 release notes and the GitHub security advisory.

Official resources