HIGH
tektoncd
CVE published 2026-04-21
CVE-2026-40161
Published 2026-04-21 and updated 2026-05-21, CVE-2026-40161 affects Tekton Pipelines git resolver behavior in API mode. If a tenant can create a TaskRun or PipelineRun and the token parameter is omitted, the resolver may send the system-configured Git API token to a user-controlled serverURL, enabling token exfiltration. The vendor-fixed releases are 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1.