CVE-2026-33211

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33211
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33211.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33211
Aliases
Downstream
Related
Published
2026-03-23T23:55:54.089Z
Modified
2026-04-10T05:42:39.823275Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod
Details

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33211.json"
}
References

Affected packages

Git / github.com/tektoncd/pipeline

Affected ranges

Type
GIT
Repo
https://github.com/tektoncd/pipeline
Events
Introduced
d9974e2cce817a43c69789161f0824e05a7572af
Fixed
ec7755031a183b345cf9e64bea0e0505c1b9cb78
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/tektoncd/pipeline
Events
Introduced
43c0bb99fa768ff711ad92445c43179b93232877
Fixed
10fa538f9a2b6d01c75138f1ed7ba3da0e34687c
Database specific 
{
    "versions": [
        {
            "introduced": "1.1.0"
        },
        {
            "fixed": "1.3.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/tektoncd/pipeline
Events
Introduced
eaf7dc1dca3e314c26d14caff8207026a2dfade7
Fixed
3fb58318e1805be7bdaaafcb23e42ade2edbf59c
Database specific 
{
    "versions": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.6.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/tektoncd/pipeline
Events
Introduced
478d30f0a799663216cd225cf826e0b1efdadee3
Fixed
3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd
Database specific 
{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.9.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/tektoncd/pipeline
Events
Introduced
9db88e0a3f072ade16ad0d88f1fd6a391281cf39
Fixed
cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db
Database specific 
{
    "versions": [
        {
            "introduced": "1.10.0"
        },
        {
            "fixed": "1.10.2"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.10.0
v1.10.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.9.0
v1.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33211.json"