{ "threat_severity" : "Important", "public_date" : "2026-03-23T23:55:54Z", "bugzilla" : { "description" : "Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver", "id" : "2450554", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2450554" }, "cvss3" : { "cvss3_base_score" : "9.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.", "A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal vulnerability via the `pathInRepo` parameter. This allows the tenant to read arbitrary files from the resolver pod's filesystem, leading to information disclosure, including sensitive ServiceAccount tokens. The contents of these files are returned in a base64-encoded format." ], "statement" : "To exploit this flaw, an attacker needs to have the permission to create ResolutionRequests (e.g., by creating TaskRuns or PipelineRuns that use the git resolver) within at least one specific namespace, limiting the exposure of this issue to authenticated users. Also, an attacker can read any file readable by the resolver pod process, including cluster secrets, allowing an escalation of privileges from namespace-scoped access to cluster-wide access. Due to these reasons, this vulnerability has been rated with an important severity.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Builds 1.6.5", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10155", "cpe" : "cpe:/a:redhat:openshift_builds:1.6::el9", "package" : "openshift-builds/openshift-builds-rhel9-operator:1776859898" }, { "product_name" : "Red Hat OpenShift Builds 1.6.5", "release_date" : "2026-04-28T00:00:00Z", "advisory" : "RHSA-2026:11330", "cpe" : "cpe:/a:redhat:openshift_builds:1.6::el9", "package" : "openshift-builds/openshift-builds-rhel9-operator:1776859898" }, { "product_name" : "Red Hat OpenShift Builds 1.7.2", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10158", "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9", "package" : "openshift-builds/openshift-builds-rhel9-operator:1776860241" }, { "product_name" : "Red Hat OpenShift Builds 1.7.2", "release_date" : "2026-04-28T00:00:00Z", "advisory" : "RHSA-2026:11331", "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9", "package" : "openshift-builds/openshift-builds-rhel9-operator:1776860241" }, { "product_name" : "Red Hat OpenShift Pipelines 1.2", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10026", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.20::el9", "package" : "openshift-pipelines/pipelines-resolvers-rhel9:1774596617" }, { "product_name" : "Red Hat OpenShift Pipelines 1.2", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10066", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.20::el9", "package" : "openshift-pipelines/pipelines-operator-bundle:1776925111" }, { "product_name" : "Red Hat OpenShift Pipelines 1.21", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6166", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.21::el9", "package" : "openshift-pipelines/pipelines-resolvers-rhel9:1774556280" }, { "product_name" : "Red Hat OpenShift Pipelines 1.21", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6170", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.21::el9", "package" : "openshift-pipelines/pipelines-operator-bundle:1774871390" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10125", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/client-server-rhel9:1776339099" } ], "package_state" : [ { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-git-cloner-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-image-bundler-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-image-processing-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-waiters-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "Builds for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-builds/openshift-builds-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_builds:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-cli-tkn-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-entrypoint-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-events-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-git-init-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-nop-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-opc-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-operator-proxy-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-operator-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-pruner-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-results-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-results-watcher-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-sidecarlogresults-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-triggers-controller-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-triggers-core-interceptors-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-triggers-eventlistenersink-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-triggers-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-workingdirinit-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-client-kn-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-plugin-func-func-util-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-ml-pipelines-driver-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-ml-pipelines-launcher-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-ssp-operator-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "container-native-virtualization/kubevirt-template-validator-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33211\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33211\nhttps://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c\nhttps://github.com/tektoncd/pipeline/commit/318006c4e3a5\nhttps://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd\nhttps://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae\nhttps://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e\nhttps://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db\nhttps://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78\nhttps://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c" ], "name" : "CVE-2026-33211", "mitigation" : { "value" : "To mitigate this vulnerability, restrict the creation of ResolutionRequests to trusted users and service accounts. Implement strict Role-Based Access Control (RBAC) policies to limit which tenants can create TaskRuns or PipelineRuns that utilize the Tekton Pipelines git resolver. This reduces the exposure by preventing unauthorized access to the resolver pod's filesystem.", "lang" : "en:us" }, "csaw" : false }