CVE-2026-40161: Sensitive Token Exfiltration in Tekton Pipelines Git Resolver
Vulnerability ID: CVE-2026-40161
CVSS Score: 7.7
Published: 2026-04-21
A high-severity vulnerability (CVSS 7.7) exists in the Tekton Pipelines Git resolver component. The flaw allows authenticated users with TaskRun creation privileges to exfiltrate system-level Git API tokens by exploiting a missing authorization check in the API token resolution fallback process.
TL;DR
The Tekton Pipelines Git resolver leaks system-configured API tokens to arbitrary user-controlled URLs due to missing endpoint validation and SubjectAccessReview checks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-201
- Attack Vector: Network
- CVSS Base Score: 7.7
- Exploit Status: Proof of Concept
- KEV Listed: False
- Privileges Required: Low
Affected Systems
- Tekton Pipelines
-
pipeline: 1.0.0 - 1.10.0 (Fixed in:
1.10.1)
Mitigation Strategies
- Upgrade Tekton Pipelines to version 1.10.1 or later
- Deploy Kubernetes egress NetworkPolicies to restrict the controller's outbound connections
- Restrict RBAC permissions for TaskRun and PipelineRun creation
- Rotate existing centralized Git API tokens
Remediation Steps:
- Audit existing cluster pipelines relying on the
api-token-secret-namespaceconfiguration. - Replicate the necessary Git secrets into the individual namespaces requiring them.
- Apply the Tekton Pipelines update to version > 1.10.0.
- Validate that legacy pipelines using the deprecated ConfigMap key correctly fail or are updated to reference local secrets.
- Rotate the previously used system-wide Git token, as it may have been exposed.
References
- GHSA-wjxp-xrpv-xpff Security Advisory
- Root Cause Issue #9608
- Defense-in-Depth Issue #9609
- NVD Entry CVE-2026-40161
Read the full report for CVE-2026-40161 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)