CVE-2026-40938

April 22, 2026, 9:23 p.m.

7.5
High

Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.

Product(s) Impacted

Vendor Product Versions
Tekton
  • Tekton Pipelines
  • 1.0.0-1.10.*, 1.11.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tekton tekton_pipelines 1.0.0-1.10.* / / / / / / /
a tekton tekton_pipelines 1.11.1 / / / / / / /

References

https://github.com/tektoncd/pipeline/releases/tag/v1.11.1
https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq
https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq

Tags

[email protected]
CWE-88
2026-04-21
CVE-2026-40938

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: April 21, 2026, 9:16 p.m.
Last Modified: April 22, 2026, 9:23 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.