anonhaven
Ad

CVE-2026-33211

CRITICAL CVSS 3.1: 9.6 EPSS 0.03%
Updated Mar 26, 2026
Linuxfoundation
Parameter Value
CVSS 9.6 (CRITICAL)
Affected Versions 1.1.0 — 1.9.2
Fixed In 1.3.3
Type CWE-22 (Path Traversal)
Vendor Linuxfoundation
Public PoC No

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens.

The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products 5

Configuration From (including) Up to (excluding)
Linuxfoundation Tekton_Pipelines
cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
 1.1.0 1.3.3
Linuxfoundation Tekton_Pipelines
cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
 1.4.0 1.6.1
Linuxfoundation Tekton_Pipelines
cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
 1.7.0 1.9.2
Linuxfoundation Tekton_Pipelines
cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
 1.10.0 1.10.2
Linuxfoundation Tekton_Pipelines
cpe:2.3:a:linuxfoundation:tekton_pipelines:1.0.0:*:*:*:*:go:*:*

References 8

https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e3…
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/318006c4e3a5
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf0…
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0…
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d…
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107…
security-advisories@github.com
https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b…
security-advisories@github.com
https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27489

Linuxfoundation

8.7

CVE-2026-33015

Everest

5.2

CVE-2026-33014

Everest

5.2

CVE-2026-33009

Everest

6.5

CVE-2026-29044

Everest

6.5