Platform
go
Component
github.com/tektoncd/pipeline
Fixed in
1.0.1
1.1.1
1.4.1
1.7.1
1.10.1
1.0.1
1.0.1
1.0.1
1.0.1
1.0.1
CVE-2026-33211 is a critical Path Traversal vulnerability discovered in the Tekton Pipelines git resolver. This flaw allows authorized tenants to read arbitrary files from the resolver pod's filesystem, potentially exposing sensitive data like ServiceAccount tokens. The vulnerability impacts versions prior to 1.0.1 and has been addressed with a patch.
The primary impact of CVE-2026-33211 is the unauthorized access to sensitive files within the Tekton Pipelines resolver pod. An attacker with the ability to create ResolutionRequests can exploit this vulnerability to read arbitrary files, including ServiceAccount tokens. Compromising these tokens grants the attacker elevated privileges within the Kubernetes cluster, enabling lateral movement and potentially complete control over the affected environment. The base64-encoded file contents being returned in resolutionrequest.status.data simplifies exfiltration. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to access restricted resources.
CVE-2026-33211 was publicly disclosed on 2026-03-18. The vulnerability's severity is rated as CRITICAL (CVSS 9.6). No public proof-of-concept (POC) code has been publicly released as of this writing, but the ease of exploitation makes it a high-priority concern. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33211 is to upgrade Tekton Pipelines to version 1.0.1 or later, which includes the fix for this vulnerability. If immediate upgrade is not feasible, restrict the permissions of tenants who can create ResolutionRequests to minimize the potential attack surface. Implement network policies to limit access to the resolver pod. Consider using a Web Application Firewall (WAF) to filter requests containing potentially malicious path traversal attempts, although this is not a complete solution. After upgrading, verify the fix by attempting to access a non-existent file via the pathInRepo parameter and confirming that access is denied.
Update Tekton Pipelines to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2 or later. These versions contain a fix for the path traversal vulnerability in the git resolver.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33211 is a critical vulnerability in Tekton Pipelines allowing attackers to read arbitrary files via the pathInRepo parameter, potentially exposing sensitive data like ServiceAccount tokens.
You are affected if you are using Tekton Pipelines versions prior to 1.0.1 and have tenants with permission to create ResolutionRequests.
Upgrade Tekton Pipelines to version 1.0.1 or later to address the vulnerability. Restrict tenant permissions as an interim measure.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official Tekton Pipelines security advisory for detailed information and updates: [https://github.com/tektoncd/pipeline/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.