2460173 – (CVE-2026-40161) CVE-2026-40161 github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL

Bug 2460173 (CVE-2026-40161) - CVE-2026-40161 github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL

Summary: CVE-2026-40161 github.com/tektoncd/pipeline: Tekton Pipelines: Information di...

Keywords:
Status:	NEW
Alias:	CVE-2026-40161
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-21 17:02 UTC by OSIDB Bzimport
Modified:	2026-04-23 23:17 UTC (History)
CC List:	32 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-21 17:02:30 UTC

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.

Note You need to log in before you can comment on or make changes to this bug.

anpicker
bparees
dfreiber
dhanak
drosa
drow
dsimansk
eborisov
fdeutsch
hasun
jburrell
jfula
jkoehler
jowilson
kingland
kverlaen
lball
lphiri
mnovotny
ngough
nyancey
ometelka
oramraz
ptisnovs
sausingh
smullick
stirabos
syedriko
thason
veshanka
vkumar
xdharmai