EUVD-2026-24151
GHSA-rmx9-2pp3-xhcr
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
AnalysisAI
Tekton Pipelines 0.43.0 through 1.11.0 allows authenticated attackers to bypass trusted resource verification policies via unanchored regular expression patterns that match substrings rather than exact resource sources, enabling policy manipulation and unauthorized verification mode changes. The vulnerability stems from Go's regexp.MatchString function matching patterns anywhere within a string rather than requiring full anchoring, permitting attackers to craft source URIs containing trusted patterns as substrings to trigger unintended policy matches and potentially apply weaker verification keys or modes.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today