CVE-2026-40924
Unrestricted HTTP Response Size Causes OOM in Tekton Pipelines
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | tekton_pipelines | to 1.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Tekton Pipelines project, specifically in the HTTP resolver's FetchHttpResource function prior to version 1.11.1. The function reads the entire HTTP response body without any size limit. An attacker with permission to create TaskRuns or PipelineRuns can direct the resolver to an attacker-controlled HTTP server that returns a very large response body within a 1-minute timeout. This causes the tekton-pipelines-resolvers pod to consume excessive memory and be killed by Kubernetes due to out-of-memory (OOM) conditions.
Since all resolver types run in the same pod, crashing this pod denies resolution services to the entire cluster. Repeated exploitation can cause a sustained crash loop, disrupting the CI/CD pipeline operations. The vulnerability affects both deprecated and current implementations of the HTTP resolver and was fixed in version 1.11.1.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service (DoS) condition on the Tekton Pipelines cluster. An attacker can cause the tekton-pipelines-resolvers pod to be repeatedly OOM-killed, leading to a crash loop.
This results in the entire cluster losing resolution services for all resolver types (Git, Hub, Bundle, Cluster, HTTP), effectively disrupting the CI/CD pipelines and potentially halting automated build and deployment processes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Tekton Pipelines to version 1.11.1 or later, where the issue has been fixed.
Additionally, restrict permissions so that only trusted tenants can create TaskRuns or PipelineRuns that reference the HTTP resolver, to prevent attackers from exploiting the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the tekton-pipelines-resolvers pod is OOM-killed due to processing a very large HTTP response body without size limits. Detection can focus on monitoring the pod's status for repeated OOM kills or crash loops.
- Check the status of the tekton-pipelines-resolvers pod for restarts or OOM kills using Kubernetes commands:
- kubectl get pods -n <namespace> | grep tekton-pipelines-resolvers
- kubectl describe pod <pod-name> -n <namespace> | grep -i 'OOMKilled'
- kubectl logs <pod-name> -n <namespace> --previous
Additionally, monitoring for unusually large HTTP responses or unusual TaskRuns or PipelineRuns referencing HTTP resolvers may help identify exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes denial of service by crashing the tekton-pipelines-resolvers pod, which can disrupt CI/CD pipeline operations. However, it does not directly impact confidentiality or integrity of data, nor does it involve unauthorized access to personal or sensitive information.
Therefore, while the availability of services may be affected, there is no direct indication from the provided information that this vulnerability impacts compliance with standards such as GDPR or HIPAA, which primarily focus on data protection and privacy.