DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40938: CVE-2026-40938: Remote Code Execution via Argument Injection in Tekton Pipelines Git Resolver

#security #cve #cybersecurity

CVE-2026-40938: Remote Code Execution via Argument Injection in Tekton Pipelines Git Resolver

Vulnerability ID: CVE-2026-40938
CVSS Score: 7.5
Published: 2026-04-21

Tekton Pipelines versions 1.0.0 through 1.11.0 contain a critical argument injection vulnerability in the git resolver component. An attacker with permissions to create ResolutionRequest objects can achieve remote code execution and cluster-wide secret exfiltration by injecting malicious flags into the git fetch command.

TL;DR

Argument injection in the Tekton git resolver allows unauthenticated users to execute arbitrary commands via the --upload-pack flag, leading to complete cluster compromise and secret exfiltration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-88
  • Vulnerability Class: Argument Injection
  • Attack Vector: Network (ResolutionRequest CRD)
  • CVSS v3.1 Score: 7.5 (High)
  • Exploit Availability: Proof of Concept
  • Impact: Remote Code Execution, Privilege Escalation

Affected Systems

  • Tekton Pipelines Git Resolver
  • Kubernetes Clusters
  • tekton-pipelines-resolvers pod
  • Tekton Pipelines: >= 1.0.0, <= 1.11.0 (Fixed in: 1.11.1)

Mitigation Strategies

  • Upgrade Tekton Pipelines to patched version 1.11.1
  • Implement OPA/Kyverno admission controllers to reject hyphens in git revisions
  • Restrict the validateRepoURL regex to disallow local paths starting with /
  • Deploy eBPF runtime monitoring for anomalous child processes from git

Remediation Steps:

  1. Identify all namespaces running Tekton Pipelines components
  2. Review current version to determine if it falls within the 1.0.0 - 1.11.0 range
  3. Apply the Tekton Pipelines 1.11.1 release manifests via kubectl apply
  4. Verify the tekton-pipelines-resolvers deployment has rolled out successfully
  5. Audit Kubernetes API logs retrospectively for past ResolutionRequest injections
  6. Rotate cluster secrets if any suspicious activity is identified in the resolver pod logs

References

Read the full report for CVE-2026-40938 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)