Path Traversal Vulnerability in Tekton Pipelines Git Resolver by Tekton
CVE-2026-33211

9.6CRITICAL

Key Information:

Vendor

Tektoncd

Status
Pipeline
Vendor
CVE Published:
23 March 2026

What is CVE-2026-33211?

The Tekton Pipelines git resolver contains a vulnerability that allows tenants with appropriate permissions to execute path traversal attacks via the pathInRepo parameter. This security flaw enables unauthorized access to arbitary files from the resolver pod's filesystem, which may include sensitive information such as ServiceAccount tokens. Affected users should upgrade to the patched versions (1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2) to mitigate this risk.

Affected Version(s)

pipeline >= 1.0.0, < 1.0.1 < 1.0.0, 1.0.1

pipeline >= 1.1.0, < 1.3.3 < 1.1.0, 1.3.3

pipeline >= 1.4.0, < 1.6.1 < 1.4.0, 1.6.1

References

https://github.com/tektoncd/pipeline/security/advisories/...
x_refsource_CONFIRM
https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6...
x_refsource_MISC
https://github.com/tektoncd/pipeline/commit/318006c4e3a5
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.