CVE-2026-40161
Token Exfiltration via Git Resolver in Tekton Pipelines
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | tekton_pipelines | From 1.0.0 (inc) to 1.10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with limited permissions to exfiltrate sensitive system-configured Git API tokens, which typically have read access to private repositories containing source code, secrets, and CI/CD configurations.
The exfiltration of such sensitive tokens can lead to unauthorized access to confidential data, potentially violating data protection and privacy regulations such as GDPR and HIPAA that require safeguarding sensitive information and preventing unauthorized disclosure.
Because the vulnerability enables leakage of credentials that protect private and potentially sensitive data, organizations using affected versions of Tekton Pipelines may face increased risk of non-compliance with these standards if the tokens are misused or data is exposed.
Mitigations such as restricting who can create TaskRun or PipelineRun resources, enforcing network egress policies, and avoiding system-level API tokens help reduce the risk and support compliance efforts.
Can you explain this vulnerability to me?
CVE-2026-40161 is a high-severity vulnerability in the Tekton Pipelines git resolver API mode affecting versions 1.0.0 through 1.10.0. When a user omits the token parameter but provides a serverURL, the system sends the system-configured Git API token (such as a GitHub Personal Access Token or GitLab token) to the user-controlled serverURL without validation.
This happens because the resolver reads the serverURL directly from user input without checking if it matches the system-configured URL, and then uses the system token for authentication. As a result, the system token is attached as an Authorization header on HTTP requests sent to the attacker-controlled serverURL, allowing an attacker to exfiltrate sensitive tokens.
An attacker with permission to create TaskRun or PipelineRun resources in a namespace can exploit this vulnerability by pointing the serverURL to an endpoint they control, thereby stealing the shared API token.
How can this vulnerability impact me? :
This vulnerability can lead to the exfiltration of sensitive system-configured Git API tokens, which typically have read access to private repositories, including source code, secrets, and CI/CD configurations.
An attacker who can create TaskRun or PipelineRun resources can misuse this vulnerability to steal these tokens by redirecting requests to an attacker-controlled server, potentially compromising the confidentiality of private repositories and related resources.
The impact is significant because it allows a namespace-scoped tenant with limited permissions to escalate their access by obtaining shared credentials, which could lead to unauthorized access to sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unexpected outbound network traffic from the Tekton Pipelines git resolver to unknown or user-controlled server URLs, especially when the system-configured Git API token is being sent.
You can inspect TaskRun or PipelineRun resources in your Kubernetes cluster to identify if any are created with a git resolver using a serverURL parameter that differs from the system-configured URL and omits the token parameter.
Suggested commands include:
- Use kubectl to list TaskRuns or PipelineRuns with suspicious git resolver parameters: `kubectl get taskruns,pipelineruns -o json | jq '.items[] | select(.spec.resolutionParams.serverURL != null and .spec.resolutionParams.token == null)'`
- Monitor network egress from the tekton-pipelines-resolvers namespace to detect connections to unexpected external endpoints, for example using network monitoring tools or Kubernetes NetworkPolicy logs.
- Check logs of the Tekton Pipelines resolver controller for warnings or errors related to token usage or serverURL validation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid configuring a system-level API token in the git resolver ConfigMap; require users to supply their own tokens explicitly.
- Restrict which users or ServiceAccounts have permission to create TaskRun or PipelineRun resources that use the git resolver, limiting this to trusted users only.
- Apply Kubernetes NetworkPolicy egress restrictions on the tekton-pipelines-resolvers namespace to allow outbound traffic only to trusted Git servers, preventing exfiltration to attacker-controlled endpoints.
- Monitor and audit TaskRun and PipelineRun creations for suspicious parameters, especially those specifying a serverURL without a token.
- Plan to upgrade Tekton Pipelines to a fixed version beyond 1.10.0 once available, which enforces validation requiring a token when a non-system serverURL is used.