Tekton Pipelines 1.0-1.11.1: Git Resolver Code Execution via Unvalidated Flags
CVE-2026-40938 Published on April 21, 2026

Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

NVD

Vulnerability Analysis

CVE-2026-40938 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-40938. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2026-40938 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2026-40938

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Openshift Builds
 
Red Hat Openshift Pipelines
 
Red Hat Openshift Lightspeed
 
Red Hat Serverless
 
Red Hat Openshift Ai
 
Red Hat Container Native Virtualization
 
Red Hat Trusted Artifact Signer
 

Affected Versions

tektoncd pipeline: Red Hat OpenShift Builds 1.7.3: Red Hat OpenShift Builds 1.8.0: Red Hat OpenShift Pipelines 1.21: Red Hat OpenShift Pipelines: Red Hat OpenShift Lightspeed: Red Hat OpenShift Serverless: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Virtualization 4: Red Hat Trusted Artifact Signer:

Exploit Probability

EPSS
0.52%
Percentile
39.73%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.