CVE-2026-25542
Unanchored Regex Bypass in Tekton Pipelines Verification
Publication date: 2026-04-21
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | tekton_pipelines | From 0.43.0 (inc) to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-185 | The product specifies a regular expression in a way that causes data to be improperly matched or compared. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Tekton Pipelines' trusted resources verification policy allows attacker-controlled source strings to bypass pattern matching by embedding trusted patterns as substrings. This can lead to unintended policy matches and changes in verification modes or keys applied, enabling signing request tampering and affecting the integrity of the CI/CD pipeline.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact caused by this vulnerability could indirectly affect compliance. For example, if the CI/CD pipeline is used to build or deploy software handling sensitive data, tampering with signing requests could lead to unauthorized code changes or deployments, potentially violating data protection and security requirements mandated by such regulations.
Therefore, organizations relying on Tekton Pipelines for secure software delivery should consider this vulnerability as a risk to maintaining compliance with standards that require strong integrity controls and secure software supply chains.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the verification policy resource patterns used in Tekton Pipelines to see if they are unanchored regular expressions that allow substring matches. Specifically, look for patterns that are not anchored with start (^) and end ($) anchors, which can be bypassed by attacker-controlled source strings embedding trusted patterns as substrings.
A practical detection method is to review the Tekton pipeline verification policies and test if malicious URIs containing trusted patterns as substrings cause unintended matches.
Suggested commands include searching for unanchored patterns in your Tekton pipeline configuration files or policies, for example using grep:
- grep -r 'pattern:' /path/to/tekton/pipeline/configs | grep -v '^\^.*\$$' # Find patterns not anchored with ^ and $
- Use test scripts or unit tests similar to those described in the fix to verify if source URIs containing trusted patterns as substrings are incorrectly matched.
Additionally, monitoring network traffic for suspicious URIs that embed trusted repository URLs as substrings (e.g., URLs containing trusted patterns within query parameters or path components) may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include manually anchoring all verification policy resource patterns to enforce full-string matching. This means updating patterns to be wrapped with start (^) and end ($) anchors, for example: '^https://github.com/tektoncd/catalog\.git$'.
Avoid using unanchored regular expressions in your trusted resource verification policies to prevent substring bypasses.
If possible, review and update your Tekton Pipelines to use the patched version that includes the fix for this vulnerability, which normalizes source URIs by stripping resolver prefixes and properly anchors patterns before matching.
Until patched versions are available, consider implementing additional validation or rejection of unanchored patterns in your policies.
Can you explain this vulnerability to me?
This vulnerability exists in the Tekton Pipelines project's trusted resources verification policies, where resource source strings are matched against patterns using Go's regexp.MatchString function. Because regexp.MatchString returns true if the pattern matches anywhere within the string (substring matching), unanchored regular expressions commonly used can be bypassed by attacker-controlled source strings that embed the trusted pattern as a substring.
An attacker can craft a malicious source URI containing a trusted pattern as a substring, causing an unintended policy match. This means the verification mode or keys applied may be altered incorrectly, potentially allowing signing request tampering.
The root cause is the lack of anchoring in regex patterns, allowing substring matches rather than full-string matches.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to bypass trusted resource verification policies in Tekton Pipelines. By embedding a trusted pattern as a substring in a malicious source URI, the attacker can cause an unintended policy match.
As a result, the verification mode or keys applied to the resource may be changed, enabling signing request tampering. This affects the integrity of the CI/CD pipeline processes, potentially allowing unauthorized or malicious code to be accepted as trusted.
The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity impact with network attack vector, low complexity, and low privileges required.