CVE-2026-40923 is a path traversal validation bypass in Tekton Pipelines. In affected versions before 1.11.1, the VolumeMount path restriction checks use a simple prefix test, which can be bypassed with .. components. As a result, a path such as /tekton/home/../results can satisfy validation while resolving at runtime to /tekton/results. The issue is fixed in Tekton Pipelines 1.11.1.
Published 2026-04-21 and updated 2026-05-21, CVE-2026-40161 affects Tekton Pipelines git resolver behavior in API mode. If a tenant can create a TaskRun or PipelineRun and the token parameter is omitted, the resolver may send the system-configured Git API token to a user-controlled serverURL, enabling token exfiltration. The vendor-fixed releases are 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1.
Tekton Pipelines has a policy-matching flaw in trusted resources verification. In affected versions, a source string is checked with regexp.MatchString against spec.resources[].pattern, and Go regex matching succeeds on substrings unless patterns are anchored. As a result, an attacker-controlled source URI can contain a trusted pattern as a substring and trigger the wrong verification policy, changing whi [truncated]