CVE-2026-33211
Tekton · Pipelines
A path traversal vulnerability in the Tekton Pipelines git resolver allows authenticated tenants to read arbitrary files, including sensitive ServiceAccount tokens, from the resolver pod.
Executive summary
The Tekton Pipelines git resolver is vulnerable to path traversal, enabling unauthorized access to sensitive filesystem data and credentials.
Vulnerability
The pathInRepo parameter in the git resolver is susceptible to path traversal. Authenticated users with permissions to create ResolutionRequests can exploit this to read arbitrary files from the pod's filesystem, including sensitive ServiceAccount tokens.
Business impact
This vulnerability carries a CVSS score of 9.6, posing an extreme risk to CI/CD pipeline security. By obtaining ServiceAccount tokens, an attacker could escalate privileges within the Kubernetes cluster, potentially leading to unauthorized control over the entire CI/CD environment and associated production deployments.
Remediation
Immediate Action: Update Tekton Pipelines to the patched versions (1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2) as specified by the vendor.
Proactive Monitoring: Audit ResolutionRequest logs for irregular pathInRepo patterns or attempts to access system-level files outside of authorized repository structures.
Compensating Controls: Review and tighten Kubernetes Role-Based Access Control (RBAC) policies to restrict which users can create TaskRuns or PipelineRuns.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for credential theft and lateral movement within Kubernetes environments, this vulnerability is critical. Organizations should immediately audit their Tekton deployments and apply the provided patches to ensure pipeline integrity and prevent cluster-wide compromise.