Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.6%top 57%

CVE-2026-33211: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tektoncd pipeline

0
Critical
VulnerabilityCVE-2026-33211cvecve-2026-33211cwe-22
Published: 03/23/2026 (03/23/2026, 23:55:54 UTC)
Source: CVE Database V5
Vendor/Project: tektoncd
Product: pipeline

Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.

CVSS v3.1

Score 9.6critical

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected software

Affected versions
>=1.0.0 <1.0.1>=1.0.0 <1.3.3>=1.0.0 <1.6.1>=1.0.0 <1.9.2>=1.0.0 <1.10.2

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 21:42:56 UTC

Technical Analysis

Tekton Pipelines, a Kubernetes-style CI/CD pipeline project, has a path traversal vulnerability (CWE-22) in its git resolver component. The vulnerability exists in versions starting from 1.0.0 and prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. It allows a tenant with permission to create ResolutionRequests (such as by creating TaskRuns or PipelineRuns using the git resolver) to specify a crafted `pathInRepo` parameter that escapes the intended directory restrictions. This enables reading arbitrary files from the resolver pod's filesystem, including sensitive files like ServiceAccount tokens. The contents of these files are returned base64-encoded in the resolutionrequest.status.data field. The vulnerability has a CVSS 3.1 score of 9.6 (critical) with network attack vector, low attack complexity, and privileges required. Official patches have been released in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. Red Hat advisories confirm the availability of fixes.

Potential Impact

Exploitation of this vulnerability allows an attacker with limited privileges (permission to create ResolutionRequests) to read arbitrary files on the resolver pod's filesystem. This includes sensitive credentials such as ServiceAccount tokens, which could lead to privilege escalation or further compromise within the Kubernetes environment. The vulnerability does not directly allow code execution or denial of service but compromises confidentiality and integrity of sensitive data.

Mitigation Recommendations

Official patches addressing this vulnerability are available in Tekton Pipelines versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. It is strongly recommended to upgrade to one of these fixed versions to remediate the issue. No vendor advisory indicates that the vulnerability is already mitigated without patching, so applying the official updates is necessary. Review and restrict permissions to create ResolutionRequests to trusted users only as a temporary measure.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-03-17T23:23:58.313Z
Cvss Version
3.1
State
PUBLISHED
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-33211","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:10155","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:10158","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6170","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:6166","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:24484","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:10066","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:21932","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:21931","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:10026","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:10125","vendor":"Red Hat"}]

Threat ID: 69c1e5e3f4197a8e3bb3f17b

Added to database: 03/24/2026, 01:16:19 UTC

Last enriched: 06/30/2026, 21:42:56 UTC

Last updated: 07/05/2026, 23:04:29 UTC

Views: 171

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses