Tekton Pipelines is a Kubernetes-native framework for defining CI/CD pipelines. Versions 0.60.0 through 1.10.1 (with some gaps) contain a denial-of-service vulnerability identified as CVE-2026-33022, caused by improper validation of array indices (CWE-129) in the function GenerateDeterministicNameFromSpec. When a user creates a TaskRun or PipelineRun resource specifying a .spec.taskRef.resolver or .spec.pipelineRef.resolver string longer than 30 characters, the generated name exceeds the 63-character DNS-1123 label limit. The truncation logic attempts to slice the string but panics due to a negative index ([-1] slice bound) because the generated name contains no spaces. This panic crashes the Tekton controller, which then enters a CrashLoopBackOff state on restart because it continuously tries to reconcile the problematic resource. This effectively halts all pipeline reconciliation cluster-wide, causing denial of service for CI/CD operations. The vulnerability only affects custom resolvers with long names; built-in resolvers like git, cluster, bundles, and hub use short names and are unaffected. The issue requires the ability to create TaskRun or PipelineRun resources, which typically requires authenticated access with appropriate permissions. The fix, released in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, changes the truncation logic to shorten the resolver-name prefix instead of the entire string, preserving the hash suffix for uniqueness and preventing the panic. No known exploits are reported in the wild as of publication.

This vulnerability can cause a complete denial of service of Tekton Pipelines controllers in Kubernetes clusters, disrupting all CI/CD pipeline executions and automation relying on Tekton. Since the controller crashes and enters a CrashLoopBackOff, no pipeline runs can be processed until the offending resource is deleted or the controller is upgraded. This can severely impact development velocity, continuous integration, and deployment workflows, especially in organizations heavily reliant on Tekton for automation. The impact is cluster-wide, affecting all pipelines managed by the controller. Attackers with permission to create TaskRun or PipelineRun resources can exploit this to cause operational disruption. Although it does not affect confidentiality or integrity directly, the availability impact is significant. Recovery requires manual intervention or patching, which may cause downtime. The vulnerability is particularly critical in environments where Tekton is used as a central CI/CD platform and where custom resolvers are employed.

Organizations should immediately upgrade Tekton Pipelines to one of the patched versions: 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2, depending on their current version. Until upgrade is possible, restrict permissions to create TaskRun and PipelineRun resources to trusted users only, minimizing the risk of malicious or accidental creation of resources with long resolver names. Implement admission controllers or Kubernetes policies to validate and reject TaskRun or PipelineRun resources with .spec.taskRef.resolver or .spec.pipelineRef.resolver strings longer than 30 characters. Monitor controller logs for panic or CrashLoopBackOff states and have procedures to quickly identify and delete offending resources. Review and audit custom resolver naming conventions to ensure names are within safe length limits. Consider isolating Tekton controllers in dedicated namespaces or clusters to limit blast radius. Maintain regular backups of pipeline configurations to facilitate recovery. Engage with Tekton community updates for any further patches or mitigations.