Red Hat Openshift Pipelines
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openshift Pipelines.
Recent Red Hat Openshift Pipelines Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:26538 | (RHSA-2026:26538) Red Hat OpenShift Pipelines Release 1.21.2 | June 17, 2026 |
| RHSA-2026:26519 | (RHSA-2026:26519) Red Hat OpenShift Pipelines Release 1.21.2 | June 17, 2026 |
| RHSA-2026:24484 | (RHSA-2026:24484) Red Hat OpenShift Pipelines Release 1.21.2 | June 8, 2026 |
| RHSA-2026:21932 | (RHSA-2026:21932) Red Hat OpenShift Pipelines Release 1.20.5 | May 29, 2026 |
| RHSA-2026:21931 | (RHSA-2026:21931) Red Hat OpenShift Pipelines Release 1.20.5 | May 29, 2026 |
| RHSA-2026:10066 | (RHSA-2026:10066) Red Hat OpenShift Pipelines Release 1.20.4 | April 23, 2026 |
| RHSA-2026:10026 | (RHSA-2026:10026) Red Hat OpenShift Pipelines Release 1.20.4 | April 23, 2026 |
| RHSA-2026:6170 | (RHSA-2026:6170) Red Hat OpenShift Pipelines Release 1.21.1 | March 30, 2026 |
| RHSA-2026:6166 | (RHSA-2026:6166) Red Hat OpenShift Pipelines Release 1.21.1 | March 30, 2026 |
| RHSA-2026:3827 | (RHSA-2026:3827) Red Hat OpenShift Pipelines Release 1.20.3 | March 5, 2026 |
By the Year
In 2026 there have been 87 vulnerabilities in Red Hat Openshift Pipelines with an average score of 7.9 out of ten. Last year, in 2025 Openshift Pipelines had 2 security vulnerabilities published. That is, 85 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.32.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 87 | 7.87 |
| 2025 | 2 | 4.55 |
| 2024 | 2 | 7.00 |
| 2023 | 2 | 6.70 |
It may take a day or so for new Openshift Pipelines vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openshift Pipelines Security Vulnerabilities
fast-uri <=3.1.2/4.0.0 Unicode IDN Canonicalization Bug
CVE-2026-13676
7.5 - High
- June 29, 2026
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Interpretation Conflict
undici ProxyAgent TLS drop (SOCKS5, v7.23.08.4.x)
CVE-2026-9697
7.4 - High
- June 17, 2026
Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings. Applications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange. Affected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: No workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.
Improper Certificate Validation
Undici v7.23.08.1.0: Cross-Origin Request Leak via Socks5ProxyAgent
CVE-2026-6734
7.5 - High
- June 17, 2026
Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.
Origin Validation Error
Undici WS Client Unbounded Fragment Size Causes DOS (v6.x8.x)
CVE-2026-12151
7.5 - High
- June 17, 2026
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. All releases starting at undici 6.17.0 are affected. Patches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.
Resource Exhaustion
ws Memory Exhaustion DoS Node.js <5.2.5 6.2.4 7.5.11 8.21.0
CVE-2026-48779
7.5 - High
- June 16, 2026
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.
Resource Exhaustion
CRLF Injection in form-data <=4.0.5 via unsanitized field names and filenames
CVE-2026-12143
7.5 - High
- June 12, 2026
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
CRLF Injection
Axios Node.js HTTP Adapter Proxy-Auth Header Leak 0.31.0/1.15.0
CVE-2026-44486
7.5 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Information Disclosure
Axios HTTP Proxy-Authorization Header Leak via Redirection v0.32.0/1.16.0
CVE-2026-44487
7.5 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axioss Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Insertion of Sensitive Information Into Sent Data
Axios size limit bypass in fetch adapter 1.7.0-1.15.x
CVE-2026-44488
7.5 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0.
Allocation of Resources Without Limits or Throttling
Regex DoS in Axios 0.x/1.x via XSRF Cookie Name in Browser
CVE-2026-44496
7.5 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0.
Resource Exhaustion
Prototype Pollution in Axios 0.19.00.31.1 & 1.15.2
CVE-2026-44495
7 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
Code Injection
Axios Prototype Pollution MITM via proxy config, fixed in 1.16.0
CVE-2026-44494
8.7 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Confused Deputy
Axios 0.32/1.16: IPv4mapped IPv6 NO_PROXY bypass issue
CVE-2026-44492
8.6 - High
- June 11, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.
SSRF
OpenShift Pipelines PrivEsc via Tekton Scheduler RB
CVE-2026-10840
7.1 - High
- June 04, 2026
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate.
Incorrect Permission Assignment for Critical Resource
Go crypto/x509 VerifyHostname DNS SAN quadratic overhead
CVE-2026-27145
7.5 - High
- June 02, 2026
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.
Unchecked Input for Loop Condition
Node.js launch-editor cmd injection via unsanitized file args v<2.9.0
CVE-2024-52011
8.3 - High
- June 01, 2026
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
Command Injection
golang.org/x/net/idna pre-0.55.0 IDN bug allows silent ASCII/Unicode mix
CVE-2026-39821
8.2 - High
- May 22, 2026
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
Improper Validation of Unsafe Equivalence in Input
shell-quote <=1.8.3 Object Token .op newline injection (CVE-2026-9277)
CVE-2026-9277
8.1 - High
- May 22, 2026
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.
Shell injection
Auth Bypass in golang.org/x/crypto/ssh <0.52.0
CVE-2026-46595
7.1 - High
- May 22, 2026
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
AuthZ
SSH Agent Constraint-Serialization Bug (v<0.52.0)
CVE-2026-39832
8.7 - High
- May 22, 2026
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
Improper Preservation of Permissions
golang.org/x/crypto/ssh: CertChecker nil callback panic <0.52.0
CVE-2026-39835
7.5 - High
- May 22, 2026
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
NULL Pointer Dereference
Resource Leak in golang.org/x/crypto/ssh <0.52.0 via Global Request Buffers
CVE-2026-39830
7.5 - High
- May 22, 2026
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
Missing Release of Resource after Effective Lifetime
go/crypto/ssh CPU DoS via oversized RSA/DSA keys before 0.52
CVE-2026-39829
7.5 - High
- May 22, 2026
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Improper Validation of Specified Quantity in Input
SSH Auth PartialSuccessError Permissions Discarded (golang.org/x/crypto/ssh <0.52.0)
CVE-2026-39828
8.8 - High
- May 22, 2026
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
Improper Preservation of Permissions
Uninitialized Mem Disclosure via ws.websocket.close() in ws <8.20.1
CVE-2026-45736
7.5 - High
- May 15, 2026
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
Use of Uninitialized Resource
Protobuf.js unsafe toObject code injection before 7.5.6 & <8.0.2
CVE-2026-44293
7.1 - High
- May 13, 2026
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Code Injection
Recursion Stack Overflow in protobufjs Decoding before 7.5.6/8.0.2
CVE-2026-44289
7.5 - High
- May 13, 2026
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields. A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding. This vulnerability is fixed in 7.5.6 and 8.0.2.
Stack Exhaustion
XSS via ip-address JS lib <10.1.1: Address6.group & link not escaped
CVE-2026-42338
8.1 - High
- May 12, 2026
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.
XSS
Axios <=1.15.1 Prototype Pollution via config properties
CVE-2026-42264
7.4 - High
- May 08, 2026
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
Prototype Pollution
Go net/mail 1.25.x-1.26.3: ParseAddress/Date CPU/Memory Exhaustion
CVE-2026-39820
7.5 - High
- May 07, 2026
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
Unchecked Input for Loop Condition
Double-free CVE-2026-33811 via LookupCNAME in Go net (<=1.26.2)
CVE-2026-33811
7.5 - High
- May 07, 2026
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
1341
DoS via consumePhrase in Go net/mail RFC 5322 parsing <1.26.3
CVE-2026-42499
7.5 - High
- May 07, 2026
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
Creation of Immutable Text Using String Concatenation
fast-uri <=3.1.1 URI Normalization Bypass via Percent-Decoded @
CVE-2026-6322
7.5 - High
- May 05, 2026
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.
Interpretation Conflict
Fast-URI Path Normalization Bypass Fast-URI <=3.1.0
CVE-2026-6321
7.5 - High
- May 04, 2026
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.
Directory traversal
Axios 1.15.1/0.31.1 CRASH via toFormData deep nesting
CVE-2026-42039
7.5 - High
- April 24, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.
Stack Exhaustion
Axios <1.15.1 Prototype Pollution via validateStatus
CVE-2026-42041
8.2 - High
- April 24, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.
authentification
Axios HTTP Client NO_PROXY Bypass via 127.0.0.0/8 (before 1.15.1/0.31.1)
CVE-2026-42043
7.2 - High
- April 24, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.
Allowlist / Allow List
Prototype Pollution in Axios 1.0-1.15.1 (default transformResponse)
CVE-2026-42044
7.4 - High
- April 24, 2026
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.
Mass Assignment
Axios HTTP Client Prototype Pollution Pre 1.15.1/0.31.1
CVE-2026-42033
7.4 - High
- April 24, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.
Prototype Pollution
Tekton Pipelines 1.0-1.11.1: Git Resolver Code Execution via Unvalidated Flags
CVE-2026-40938
8.5 - High
- April 21, 2026
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.
Argument Injection
follow-redirects: Auth Header Leak via Cross-Domain Redirects (1.15.x)
CVE-2026-40895
7.5 - High
- April 21, 2026
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Information Disclosure
Code Injection via Type Field in Protobuf.js <8.0.1
CVE-2026-41242
8.8 - High
- April 18, 2026
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Code Injection
Axios <1.15.0 Prototype Pollution RCE via Gadget Attack
CVE-2026-40175
9 - Critical
- April 10, 2026
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.
HTTP Response Splitting
Axios v1.15.0 Proxy Bypass via NO_PROXY Handling SSRF
CVE-2025-62718
7 - High
- April 09, 2026
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
Confused Deputy
Go crypto/x509 Intermediates DoS (<=1.26.2)
CVE-2026-32280
7.5 - High
- April 08, 2026
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
Allocation of Resources Without Limits or Throttling
Go crypto/tls TLS 1.3 KeyUpdate deadlock DoS (1.25.9 & <1.26.2)
CVE-2026-32283
7.5 - High
- April 08, 2026
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Multiple Locks of a Critical Resource
Go 1.26.x crypto/x509 DNS Constraint Case Sensitivity
CVE-2026-33810
8.8 - High
- April 08, 2026
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Improper Validation of Unsafe Equivalence in Input
Memory-safety flaw in Go pgx pgproto3 component
CVE-2026-33816
8.3 - High
- April 07, 2026
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Memory Corruption
Memory-Safety CVE-2026-33815 in pgx/v5 (Go Postgres Driver)
CVE-2026-33815
8.3 - High
- April 07, 2026
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Memory Corruption
GoJOSE JWE Decrypt Panic (DoS) Fixed v4.1.4/3.0.5
CVE-2026-34986
7.5 - High
- April 06, 2026
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Uncaught Exception
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openshift Pipelines or by Red Hat? Click the Watch button to subscribe.