CVE-2026-40924
Analyzed Analyzed - Analysis Complete
Unrestricted HTTP Response Size Causes OOM in Tekton Pipelines

Publication date: 2026-04-21

Last updated on: 2026-05-22

Assigner: GitHub, Inc.

Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40924
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation tekton_pipelines to 1.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes denial of service by crashing the tekton-pipelines-resolvers pod, which can disrupt CI/CD pipeline operations. However, it does not directly impact confidentiality or integrity of data, nor does it involve unauthorized access to personal or sensitive information.

Therefore, while the availability of services may be affected, there is no direct indication from the provided information that this vulnerability impacts compliance with standards such as GDPR or HIPAA, which primarily focus on data protection and privacy.

Executive Summary

This vulnerability exists in the Tekton Pipelines project, specifically in the HTTP resolver's FetchHttpResource function prior to version 1.11.1. The function reads the entire HTTP response body without any size limit. An attacker with permission to create TaskRuns or PipelineRuns can direct the resolver to an attacker-controlled HTTP server that returns a very large response body within a 1-minute timeout. This causes the tekton-pipelines-resolvers pod to consume excessive memory and be killed by Kubernetes due to out-of-memory (OOM) conditions.

Since all resolver types run in the same pod, crashing this pod denies resolution services to the entire cluster. Repeated exploitation can cause a sustained crash loop, disrupting the CI/CD pipeline operations. The vulnerability affects both deprecated and current implementations of the HTTP resolver and was fixed in version 1.11.1.

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition on the Tekton Pipelines cluster. An attacker can cause the tekton-pipelines-resolvers pod to be repeatedly OOM-killed, leading to a crash loop.

This results in the entire cluster losing resolution services for all resolver types (Git, Hub, Bundle, Cluster, HTTP), effectively disrupting the CI/CD pipelines and potentially halting automated build and deployment processes.

Mitigation Strategies

To mitigate this vulnerability, upgrade Tekton Pipelines to version 1.11.1 or later, where the issue has been fixed.

Additionally, restrict permissions so that only trusted tenants can create TaskRuns or PipelineRuns that reference the HTTP resolver, to prevent attackers from exploiting the vulnerability.

Detection Guidance

This vulnerability occurs when the tekton-pipelines-resolvers pod is OOM-killed due to processing a very large HTTP response body without size limits. Detection can focus on monitoring the pod's status for repeated OOM kills or crash loops.

  • Check the status of the tekton-pipelines-resolvers pod for restarts or OOM kills using Kubernetes commands:
  • kubectl get pods -n <namespace> | grep tekton-pipelines-resolvers
  • kubectl describe pod <pod-name> -n <namespace> | grep -i 'OOMKilled'
  • kubectl logs <pod-name> -n <namespace> --previous

Additionally, monitoring for unusually large HTTP responses or unusual TaskRuns or PipelineRuns referencing HTTP resolvers may help identify exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart