Skip to main content

Tekton Pipelines EUVDEUVD-2026-24151

| CVE-2026-25542 MEDIUM
Incorrect Regular Expression (CWE-185)
2026-04-21 GitHub_M GHSA-rmx9-2pp3-xhcr
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Patch released
Apr 21, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 16:59 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24151
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:05 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.

AnalysisAI

Tekton Pipelines 0.43.0 through 1.11.0 allows authenticated attackers to bypass trusted resource verification policies via unanchored regular expression patterns that match substrings rather than exact resource sources, enabling policy manipulation and unauthorized verification mode changes. The vulnerability stems from Go's regexp.MatchString function matching patterns anywhere within a string rather than requiring full anchoring, permitting attackers to craft source URIs containing trusted patterns as substrings to trigger unintended policy matches and potentially apply weaker verification keys or modes.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Kubernetes cluster
Delivery
Create malicious pipeline resource with crafted refSource.URI
Exploit
Submit resource containing trusted pattern as substring
Install
Regex engine matches unanchored pattern
C2
System applies trusted verification mode
Execute
Inject unsigned or malicious code
Impact
Pipeline executes with elevated privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the attacker must have authenticated access to a Kubernetes cluster running vulnerable Tekton Pipelines (PR:L per CVSS), (2) the target organization must have configured trusted resource verification policies using spec.resources[].pattern with unanchored regular expressions (this is the default behavior encouraged by documentation examples), and (3) the attacker must have the ability to create or modify Tekton Pipeline resources (typical PipelineRun or Task definitions) with attacker-controlled refSource.URI values. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) indicates network-accessible, low-complexity exploitation requiring low authentication privileges with no user interaction, achieving high integrity impact within the same security scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with Kubernetes API access submits a malicious Tekton pipeline resource that references an attacker-controlled source URI constructed as 'https://attacker.com/trusted-pattern-substring-here/malicious-code'. The trusted resource verification policy contains an unanchored pattern such as 'trusted-pattern-substring' (common in documentation examples). …
Remediation Upgrade Tekton Pipelines to version 1.12.0 or later, which includes the fix for unanchored regex matching in trusted resource verification policies. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

CVE-2026-31892 HIGH POC
8.9 Mar 11

Authorization bypass in Argo Workflows (2.9.0 through 4.0.1 and 3.7.x before 3.7.11) lets any user permitted to submit W

CVE-2026-23742 HIGH POC
8.8 Jan 16

Skipper versions before 0.23.0 allow authenticated users with Ingress resource creation privileges to execute arbitrary

CVE-2026-25538 HIGH POC
8.8 Feb 04

Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]

CVE-2026-22771 HIGH POC
8.8 Jan 12

Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attacker

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy