Skip to content

fix(cve): CVE-2026-40938, CVE-2026-40161 - bump github.com/tektoncd/pipeline to v1.11.1 [release-v0.42.2]#2868

Open
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1
Open

fix(cve): CVE-2026-40938, CVE-2026-40161 - bump github.com/tektoncd/pipeline to v1.11.1 [release-v0.42.2]#2868
divyansh42 wants to merge 1 commit into
release-v0.42.2from
fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1

Conversation

@divyansh42
Copy link
Copy Markdown
Member

@divyansh42 divyansh42 commented May 17, 2026

CVE Details

CVE-2026-40938 (Critical)

Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands

The git resolver's revision parameter is passed directly to git fetch without validation. An attacker can inject arbitrary git fetch flags via the --upload-pack= flag. Combined with permitting local filesystem paths as URLs, this can execute arbitrary binaries on the resolver pod. The tekton-pipelines-resolvers ServiceAccount has cluster-wide get/list/watch on all Secrets.

  • Fixed in: github.com/tektoncd/pipeline v1.11.1
  • Jira: SRVKP-11720

CVE-2026-40161 (High)

Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL

The git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL. When the user omits the token parameter, the shared API token is sent to an attacker-controlled endpoint.

  • Fixed in: github.com/tektoncd/pipeline v1.10.1+
  • Jira: SRVKP-11650

Fix Summary

Updated github.com/tektoncd/pipeline from v1.3.1 to v1.11.1 in go.mod and regenerated go.sum.

File Change
go.mod github.com/tektoncd/pipeline v1.3.1v1.11.1
go.sum Updated checksums

Test Results

Check Status Details
go get github.com/tektoncd/pipeline@v1.11.1 ✅ PASS Dependency resolved without errors
go mod tidy -e ✅ PASS Minor warnings for test-only transitive deps (knative.dev/pkg latest) — not build-affecting
go mod verify ✅ PASS all modules verified

Breaking Changes

None expected. This is a patch-level update within the same major version. The tektoncd/pipeline API is stable across this range.

Risk Assessment

Low — dependency version bump to address critical security vulnerabilities. No API changes in the components used by tkn CLI. The transitive go mod tidy -e warnings are from test-only dependencies in downstream packages and do not affect the CLI build.

Verification Steps

  • CI passes
  • tkn commands function correctly (pipeline list, run, logs)
  • No regression in git resolver behavior

Jira References

SRVKP-11720 (CVE-2026-40938, pipelines-1.20)
SRVKP-11650 (CVE-2026-40161, pipelines-1.20)

🤖 Generated with Claude Code

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label May 17, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 17, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign pradeepitm12 after the PR has been reviewed.
You can assign the PR to them by writing /assign @pradeepitm12 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 17, 2026
@github-actions github-actions Bot mentioned this pull request May 18, 2026
Open
@divyansh42 @claude
fix(cve): CVE-2026-40938, CVE-2026-40161 - github.com/tektoncd/pipeline
7a9e82a 
- Update github.com/tektoncd/pipeline from v1.3.1 to v1.11.1
- CVE-2026-40938: Arbitrary code execution via malicious git commands (Critical)
- CVE-2026-40161: Git API token disclosure via user-controlled serverURL (High)

Resolves: SRVKP-11720, SRVKP-11650

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: diagrawa <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1 branch from 37db085 to 7a9e82a Compare May 19, 2026 19:04
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 19, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 19, 2026

/release-note-none

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 19, 2026
@divyansh42
Copy link
Copy Markdown
Member Author

divyansh42 commented May 19, 2026

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chmouel chmouel Awaiting requested review from chmouel

@pratap0007 pratap0007 Awaiting requested review from pratap0007

@vinamra28 vinamra28 Awaiting requested review from vinamra28

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyansh42 @tekton-robot