CVE-2026-40924: Uncontrolled Resource Consumption in Tekton Pipelines HTTP Resolver
Vulnerability ID: CVE-2026-40924
CVSS Score: 6.5
Published: 2026-04-21
An uncontrolled resource consumption vulnerability exists in the HTTP resolver component of Tekton Pipelines prior to version 1.11.1. The flaw allows an authenticated attacker to trigger an out-of-memory (OOM) condition by returning an arbitrarily large HTTP response body during pipeline resolution, resulting in a denial of service for all resolution tasks within the Kubernetes cluster.
TL;DR
Tekton Pipelines < 1.11.1 suffers from a Denial of Service vulnerability due to unbounded memory allocation in the HTTP resolver. Attackers with permission to create TaskRuns can crash the resolver pod by pointing it to a malicious server that streams an excessively large response.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400
- Attack Vector: Network
- CVSS Score: 6.5
- Impact: High Availability (DoS)
- Exploit Status: Proof of Concept available
- Authentication Required: Low (Permission to create resources)
Affected Systems
- Tekton Pipelines (< 1.11.1)
-
Tekton Pipelines: < 1.11.1 (Fixed in:
1.11.1)
Mitigation Strategies
- Upgrade Tekton Pipelines to version 1.11.1 or higher.
- Implement Kubernetes Network Policies to restrict egress traffic from the tekton-pipelines-resolvers pod.
- Restrict RBAC permissions for creating TaskRun and PipelineRun resources to trusted entities.
Remediation Steps:
- Review the current version of Tekton Pipelines installed in the cluster.
- Apply the version 1.11.1 manifests via kubectl apply -f.
- Verify the tekton-pipelines-resolvers pod is running the updated image.
- Identify and delete any pending or retrying TaskRuns that attempt to resolve malicious URLs.
References
Read the full report for CVE-2026-40924 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)