Bug 2460159 (CVE-2026-25542) - CVE-2026-25542 github.com/tektoncd/pipeline: Tekton Pipelines: Security bypass due to regular expression matching flaw
Summary: CVE-2026-25542 github.com/tektoncd/pipeline: Tekton Pipelines: Security bypas...
Keywords:
Status: NEW
Alias: CVE-2026-25542
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-21 17:01 UTC by OSIDB Bzimport
Modified: 2026-04-22 20:35 UTC (History)
75 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-21 17:01:37 UTC 
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
Note You need to log in before you can comment on or make changes to this bug.