Bug 2460159 (CVE-2026-25542)

Summary: CVE-2026-25542 github.com/tektoncd/pipeline: Tekton Pipelines: Security bypass due to regular expression matching flaw
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, akostadi, akoudelk, alebedev, amasferr, amctagga, anpicker, aoconnor, ataylor, bniver, bparees, chfoley, cmah, dbruscin, dfreiber, dhanak, dmayorov, drosa, drow, dschmidt, dsimansk, eaguilar, ebaron, eborisov, erezende, fdeutsch, flucifre, gmeno, groman, hasun, jburrell, jfula, jkoehler, jlanda, jlledo, jolong, jowilson, kingland, kshier, kvanderr, kverlaen, lball, lbragsta, lphiri, mbenjamin, mhackett, mnovotny, ngough, nyancey, ometelka, oramraz, pantinor, pjindal, ptisnovs, rgodfrey, sausingh, sdawley, simaishi, smcdonal, smullick, sostapov, stcannon, stirabos, swoodman, syedriko, teagle, thason, tsedmik, vereddy, veshanka, vkumar, wenshen, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Tekton Pipelines. An attacker can bypass trusted resource verification policies by crafting a malicious source string that contains a trusted pattern as a substring. This is due to the `regexp.MatchString` function in Go matching patterns anywhere within a string, rather than requiring an exact match. This vulnerability can lead to unintended policy matches, allowing an attacker to alter verification modes or keys and potentially compromise the integrity of Continuous Integration/Continuous Delivery (CI/CD) pipelines.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-21 17:01:37 UTC 
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.