CVE-2026-40161— Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40161
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Source: NVD (National Vulnerability Database)
Vulnerability Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tekton Pipelines 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tekton Pipelines是Tekton开源的一个云原生管道。 Tekton Pipelines 1.0.0版本至1.10.0版本存在安全漏洞,该漏洞源于API模式下git解析器在用户省略令牌参数时,会将系统配置的Git API令牌发送到用户控制的服务器URL,可能导致拥有TaskRun或PipelineRun创建权限的租户通过将服务器URL指向攻击者控制的端点来窃取共享的API令牌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40161
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40161
请登录查看更多情报信息。
Same Patch Batch · tektoncd · 2026-04-21 · 5 CVEs total
| CVE-2026-40938 | 7.5 HIGH | Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injecti |
| CVE-2026-25542 | 6.5 MEDIUM | Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching |
| CVE-2026-40924 | 6.5 MEDIUM | Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via |
| CVE-2026-40923 | 5.4 MEDIUM | Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekto |
IV. Related Vulnerabilities
Same product: pipeline
- CVE-2026-40923
Tekton Pipelines: VolumeMount path restriction bypass via mi - CVE-2026-40924
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read - CVE-2026-40938
Tekton Pipelines: Git Resolver Unsanitized Revision Paramete - CVE-2026-25542
Tekton Pipelines: VerificationPolicy regex pattern bypass vi - CVE-2026-33211
Tekton Pipelines git resolver has path traversal that allows
Same vendor: tektoncd
- CVE-2026-40923
Tekton Pipelines: VolumeMount path restriction bypass via mi - CVE-2026-40924
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read - CVE-2026-40938
Tekton Pipelines: Git Resolver Unsanitized Revision Paramete - CVE-2026-25542
Tekton Pipelines: VerificationPolicy regex pattern bypass vi - CVE-2026-33211
Tekton Pipelines git resolver has path traversal that allows
Same weakness: CWE-201
- CVE-2025-31978
HCL BigFix Service Management (SM) does not adequately sanit - CVE-2026-42379
WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposu - CVE-2026-5512
Improper authorization vulnerability in GitHub Enterprise Se - CVE-2026-4525
Vault Token Leaked to Backends via Authorization: Bearer Pas - CVE-2026-5483
Odh-dashboard: odh dashboard kubernetes service account expo
V. Comments for CVE-2026-40161
No comments yet