CVE-2026-40161: CWE-201: Insertion of Sensitive Information Into Sent Data in tektoncd pipeline
CVE-2026-40161 is a vulnerability in Tekton Pipelines versions 1. 0. 0 through 1. 10. 0 where the git resolver in API mode sends the system-configured Git API token to a user-controlled server URL if the token parameter is omitted. This allows a tenant with TaskRun or PipelineRun create permissions to exfiltrate sensitive Git API tokens by directing the server URL to an attacker-controlled endpoint. The vulnerability has a high severity with a CVSS score of 7. 7 and impacts confidentiality but not integrity or availability.
AI Analysis
Technical Summary
Tekton Pipelines, a Kubernetes-style CI/CD pipeline project, has a vulnerability (CVE-2026-40161) in its git resolver component for versions 1.0.0 to 1.10.0. When operating in API mode, if a user omits the token parameter, the system automatically sends the configured Git API token (such as GitHub PAT or GitLab token) to the specified serverURL. Because the serverURL can be user-controlled, an attacker with permissions to create TaskRun or PipelineRun resources can cause the token to be sent to an endpoint they control, leading to exfiltration of sensitive credentials. This vulnerability is categorized under CWE-201 (Insertion of Sensitive Information Into Sent Data). No official patch or remediation level has been published yet.
Potential Impact
The vulnerability allows an attacker with limited permissions (TaskRun or PipelineRun create) to exfiltrate sensitive Git API tokens configured in the system by manipulating the serverURL parameter. This results in a high confidentiality impact as these tokens can provide unauthorized access to Git repositories. There is no impact on integrity or availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict permissions to create TaskRun or PipelineRun resources to trusted users only and monitor usage for suspicious serverURL parameters. Avoid omitting the token parameter in the git resolver configuration to prevent automatic token transmission to untrusted endpoints.
CVE-2026-40161: CWE-201: Insertion of Sensitive Information Into Sent Data in tektoncd pipeline
Description
CVE-2026-40161 is a vulnerability in Tekton Pipelines versions 1. 0. 0 through 1. 10. 0 where the git resolver in API mode sends the system-configured Git API token to a user-controlled server URL if the token parameter is omitted. This allows a tenant with TaskRun or PipelineRun create permissions to exfiltrate sensitive Git API tokens by directing the server URL to an attacker-controlled endpoint. The vulnerability has a high severity with a CVSS score of 7. 7 and impacts confidentiality but not integrity or availability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tekton Pipelines, a Kubernetes-style CI/CD pipeline project, has a vulnerability (CVE-2026-40161) in its git resolver component for versions 1.0.0 to 1.10.0. When operating in API mode, if a user omits the token parameter, the system automatically sends the configured Git API token (such as GitHub PAT or GitLab token) to the specified serverURL. Because the serverURL can be user-controlled, an attacker with permissions to create TaskRun or PipelineRun resources can cause the token to be sent to an endpoint they control, leading to exfiltration of sensitive credentials. This vulnerability is categorized under CWE-201 (Insertion of Sensitive Information Into Sent Data). No official patch or remediation level has been published yet.
Potential Impact
The vulnerability allows an attacker with limited permissions (TaskRun or PipelineRun create) to exfiltrate sensitive Git API tokens configured in the system by manipulating the serverURL parameter. This results in a high confidentiality impact as these tokens can provide unauthorized access to Git repositories. There is no impact on integrity or availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict permissions to create TaskRun or PipelineRun resources to trusted users only and monitor usage for suspicious serverURL parameters. Avoid omitting the token parameter in the git resolver configuration to prevent automatic token transmission to untrusted endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T19:31:56.014Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7a9cf19fe3cd2cde6d348
Added to database: 4/21/2026, 4:46:07 PM
Last enriched: 4/21/2026, 5:01:23 PM
Last updated: 4/21/2026, 5:49:52 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.