CVE-2026-33022
Denial-of-Service in Tekton Pipelines via Long Resolver Names
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | tekton_pipelines | From 0.60.0 (inc) to 1.0.1 (exc) |
| linuxfoundation | tekton_pipelines | From 1.1.0 (inc) to 1.3.3 (exc) |
| linuxfoundation | tekton_pipelines | From 1.10.0 (inc) to 1.10.2 (exc) |
| linuxfoundation | tekton_pipelines | From 1.4.0 (inc) to 1.6.1 (exc) |
| linuxfoundation | tekton_pipelines | From 1.7.0 (inc) to 1.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33022 is a denial-of-service vulnerability in the Tekton Pipelines controller affecting versions from 0.60.0 through 1.10.0. It occurs when a user with permission to create TaskRun or PipelineRun resources sets the resolver name field (.spec.taskRef.resolver or .spec.pipelineRef.resolver) to a string of 31 or more characters. This causes the controller to generate a name that exceeds the DNS-1123 label limit of 63 characters.'}, {'type': 'paragraph', 'content': "The controller's truncation logic tries to shorten the generated name by searching for the last space character, but since the name contains no spaces, this results in an invalid slice operation causing a runtime panic. This panic crashes the controller, which then enters a CrashLoopBackOff state on restart because it repeatedly tries to reconcile the offending resource."}, {'type': 'paragraph', 'content': 'As a result, all TaskRun and PipelineRun reconciliations are blocked cluster-wide until the problematic resource is manually deleted. Built-in resolvers with short names are unaffected, but any custom resolver name longer than 30 characters triggers the bug.'}, {'type': 'paragraph', 'content': 'The vulnerability is caused by improper validation of array indexes (CWE-129) and was fixed by changing the truncation logic to preserve the hash suffix and truncate only the resolver name prefix, ensuring the generated name fits within the DNS-1123 limit.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition in your Tekton Pipelines controller. If exploited, the controller crashes and enters a CrashLoopBackOff state, preventing any TaskRun or PipelineRun resources from being reconciled.
This means your CI/CD pipelines managed by Tekton will be blocked cluster-wide, halting automated build, test, and deployment workflows until the offending resource is manually removed or the controller is patched.
Since any user with permission to create TaskRun or PipelineRun resources can trigger this by using a long custom resolver name, it poses a risk especially in multi-tenant or shared cluster environments.
The impact is availability-related, with no direct confidentiality or integrity loss, but it can significantly disrupt development and deployment processes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for TaskRun or PipelineRun resources that have a .spec.taskRef.resolver or .spec.pipelineRef.resolver field set to a string of 31 or more characters. Such resources trigger a panic in the Tekton Pipelines controller, causing it to crash and enter a CrashLoopBackOff state.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can query your Kubernetes cluster for TaskRun or PipelineRun resources with long resolver names. For example, you can use kubectl commands to list these resources and filter by resolver name length.'}, {'type': 'list_item', 'content': "kubectl get taskruns --all-namespaces -o json | jq '.items[] | select(.spec.taskRef.resolver != null and (.spec.taskRef.resolver | length) >= 31) | {namespace: .metadata.namespace, name: .metadata.name, resolver: .spec.taskRef.resolver}'"}, {'type': 'list_item', 'content': "kubectl get pipelineruns --all-namespaces -o json | jq '.items[] | select(.spec.pipelineRef.resolver != null and (.spec.pipelineRef.resolver | length) >= 31) | {namespace: .metadata.namespace, name: .metadata.name, resolver: .spec.pipelineRef.resolver}'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the Tekton Pipelines controller logs for CrashLoopBackOff events or panic stack traces related to slice bounds out of range can help identify if the vulnerability is being triggered.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to restrict permissions to create or update TaskRun and PipelineRun resources in your Kubernetes cluster using RBAC policies. This prevents untrusted users from exploiting the vulnerability by creating resources with long resolver names.
Since no validation-side workaround exists without patching, you should upgrade your Tekton Pipelines controller to a patched version. Patched versions include 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2.
If the controller is already crashing due to this issue, manually delete the offending TaskRun or PipelineRun resource with the long resolver name to restore controller functionality.