7.7
CVE-2026-40161
- EPSS 0.26%
- Veröffentlicht 21.04.2026 16:26:27
- Zuletzt bearbeitet 21.05.2026 22:16:48
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linuxfoundation ≫ Tekton Pipelines SwPlatformgo Version >= 1.0.0 <= 1.10.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.171 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
https://github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff
https://github.com/tektoncd/pipeline/issues/9608
https://github.com/tektoncd/pipeline/issues/9609