CVE-2026-40923: Tekton Pipelines VolumeMount Path Restriction Bypass via Missing Path Normalization
Vulnerability ID: CVE-2026-40923
CVSS Score: 5.4
Published: 2026-04-21
CVE-2026-40923 is a path traversal vulnerability in Tekton Pipelines, a Kubernetes-native CI/CD framework. The vulnerability allows an authenticated attacker with permissions to create Task or TaskRun resources to bypass VolumeMount path restrictions. By using '..' path traversal components in a mount path, an attacker can mount volumes over restricted internal Tekton directories, potentially leading to the injection of fake task results, modification of execution scripts, or interference with pipeline coordination state.
TL;DR
A missing path normalization flaw in Tekton Pipelines allows authenticated attackers to bypass VolumeMount restrictions and overwrite internal directories via path traversal.
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS Score: 5.4
- Impact: Data Integrity Compromise, Execution Hijack
- Exploit Status: Unexploited
- KEV Status: Not Listed
Affected Systems
- Tekton Pipelines
- Kubernetes CI/CD environments
-
Tekton Pipelines: < 1.11.1 (Fixed in:
1.11.1)
Mitigation Strategies
- Update Tekton Pipelines to patched version
- Implement Admission Controller Policies
- Restrict RBAC Permissions
Remediation Steps:
- Upgrade Tekton Pipelines to version 1.11.1 or later.
- Deploy Kyverno or OPA/Gatekeeper rules to block '..' sequences in VolumeMount paths.
- Audit and enforce strict RBAC controls over Task and TaskRun creation.
References
Read the full report for CVE-2026-40923 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)