Kubernetes
CVE-2026-33211
CRITICAL
Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
Summary
The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.
Details
The git resolver's getFileContent() function in pkg/resolution/resolver/git/repository.go constructs a file path by joining the repository clone directory with the user-supplied pathInRepo parameter:
fileContents, err := os.ReadFile(filepath.Join(repo.directory, path))The pathInRepo parameter is not validated for path traversal sequences. An attacker can supply values like ../../../../etc/passwd to escape the cloned repository directory and read arbitrary files from the resolver pod's filesystem.
The vulnerability was introduced in commit 318006c4e3a5 which switched the git resolver from the go-git library (using an in-memory filesystem that cannot be escaped) to shelling out to the git binary and reading files with os.ReadFile() from the real filesystem.
Impact
Arbitrary file read - A namespace-scoped tenant who can create TaskRuns or PipelineRuns with git resolver parameters can read any file readable by the resolver pod process.
Credential exfiltration and privilege escalation - The resolver pod's ServiceAccount token is readable at a well-known path (/var/run/secrets/kubernetes.io/serviceaccount/token). In the default RBAC configuration, the tekton-pipelines-resolvers ServiceAccount has get, list, and watch permissions on secrets cluster-wide. An attacker who exfiltrates this token gains the ability to read all Secrets across all namespaces, escalating from namespace-scoped access to cluster-wide secret access.
Patches
Fixed in 1.0.x, 1.3.x, 1.6.x, 1.9.x, 1.10.x.
The fix validates pathInRepo to reject paths containing .. components at parameter validation time, and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes from attacker-controlled repositories.
Workarounds
There is no workaround other than restricting which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver. Administrators can also reduce the impact by scoping the resolver pod's ServiceAccount RBAC permissions using a custom ClusterRole with more restrictive rules.
Affected Versions
All releases from v1.0.0 through v1.10.0, including all patch releases:
- v1.0.0, v1.1.0, v1.2.0
- v1.3.0, v1.3.1, v1.3.2
- v1.4.0, v1.5.0, v1.6.0, v1.7.0
- v1.9.0, v1.9.1, v1.10.0
Releases prior to v1.0.0 (e.g. v0.70.0 and earlier) are not affected because they used the go-git library's in-memory filesystem where path traversal cannot escape the git worktree.
Acknowledgments
This vulnerability was reported by Oleh Konko (@1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you!
References
- Fix: _(link to merged PR/commit)_
- Introduced in:
318006c4e3a5("fix: resolve Git Anonymous Resolver excessive memory usage")
AnalysisAI
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
Technical ContextAI
The vulnerability affects the Tekton Pipelines git resolver component, specifically the getFileContent() function in pkg/resolution/resolver/git/repository.go. This is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) path traversal vulnerability introduced in commit 318006c4e3a5 when the implementation switched from the go-git library's in-memory filesystem to using the native git binary with os.ReadFile() operations on the real filesystem. The affected packages are identified via CPE as pkg:go/github.com_tektoncd_pipeline. The pathInRepo parameter accepts user-controlled input without validation against directory traversal sequences like ../, allowing escape from the cloned repository directory to access any file readable by the resolver pod process, including Kubernetes ServiceAccount tokens at well-known paths.
RemediationAI
Upgrade to the patched versions in the 1.0.x, 1.3.x, 1.6.x, 1.9.x, or 1.10.x release branches as specified in the vendor security advisory at https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c. The fix implements validation to reject pathInRepo parameters containing .. components and adds a containment check using filepath.EvalSymlinks() to prevent symlink-based escapes. If immediate patching is not possible, restrict which users can create TaskRuns, PipelineRuns, or ResolutionRequests that use the git resolver through Kubernetes RBAC policies. Additionally, reduce the blast radius by scoping the tekton-pipelines-resolvers ServiceAccount's RBAC permissions using a custom ClusterRole with more restrictive rules instead of the default cluster-wide secrets access. Review and audit existing ResolutionRequests for suspicious pathInRepo values that may indicate attempted or successful exploitation.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-j5q5-j9gm-2w5c