Bug 2460292 (CVE-2026-40938)
| Summary: | CVE-2026-40938 github.com/tektoncd/pipeline: Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anpicker, bbrownin, bparees, dfreiber, dhanak, drosa, drow, dsimansk, eborisov, fdeutsch, hasun, jburrell, jfula, jkoehler, jowilson, kingland, kverlaen, lball, lphiri, mnovotny, ngough, nyancey, ometelka, oramraz, ptisnovs, sausingh, smullick, stirabos, syedriko, thason, veshanka, vkumar, xdharmai |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Tekton Pipelines, a system for declaring continuous integration/continuous delivery (CI/CD) pipelines. An authenticated user, able to submit `ResolutionRequest` objects, can exploit a vulnerability by injecting malicious commands into the git resolver's revision parameter. This allows for the execution of unauthorized programs on the resolver pod. Successful exploitation can lead to the exfiltration of all cluster-wide secrets, resulting in significant information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-04-21 21:02:39 UTC
|