CVE-2026-40924: CWE-400: Uncontrolled Resource Consumption in tektoncd pipeline
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.
AI Analysis
Technical Summary
Tekton Pipelines versions before 1.11.1 contain an uncontrolled resource consumption vulnerability (CWE-400) in the HTTP resolver component. The FetchHttpResource function calls io.ReadAll on the HTTP response body without limiting its size, allowing an attacker-controlled HTTP server to send a large response that exhausts pod memory. This causes the tekton-pipelines-resolvers pod to be OOM-killed, disrupting all resolver services running in that pod and denying resolution functionality cluster-wide. Both deprecated and current HTTP resolver implementations are affected. The issue is resolved in Tekton Pipelines 1.11.1.
Potential Impact
Exploitation leads to denial of service by causing the tekton-pipelines-resolvers pod to be killed due to out-of-memory conditions. This disrupts all resolver types (Git, Hub, Bundle, Cluster, HTTP) since they share the same pod, resulting in loss of resolution service for the entire cluster. Repeated exploitation can cause sustained crash loops, severely impacting CI/CD pipeline operations. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
A fix is available in Tekton Pipelines version 1.11.1. Users should upgrade to this version or later to remediate the vulnerability. No other official remediation or temporary fixes are documented. Until upgraded, restrict permissions to create TaskRuns or PipelineRuns that use the HTTP resolver to trusted users only.
CVE-2026-40924: CWE-400: Uncontrolled Resource Consumption in tektoncd pipeline
Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tekton Pipelines versions before 1.11.1 contain an uncontrolled resource consumption vulnerability (CWE-400) in the HTTP resolver component. The FetchHttpResource function calls io.ReadAll on the HTTP response body without limiting its size, allowing an attacker-controlled HTTP server to send a large response that exhausts pod memory. This causes the tekton-pipelines-resolvers pod to be OOM-killed, disrupting all resolver services running in that pod and denying resolution functionality cluster-wide. Both deprecated and current HTTP resolver implementations are affected. The issue is resolved in Tekton Pipelines 1.11.1.
Potential Impact
Exploitation leads to denial of service by causing the tekton-pipelines-resolvers pod to be killed due to out-of-memory conditions. This disrupts all resolver types (Git, Hub, Bundle, Cluster, HTTP) since they share the same pod, resulting in loss of resolution service for the entire cluster. Repeated exploitation can cause sustained crash loops, severely impacting CI/CD pipeline operations. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
A fix is available in Tekton Pipelines version 1.11.1. Users should upgrade to this version or later to remediate the vulnerability. No other official remediation or temporary fixes are documented. Until upgraded, restrict permissions to create TaskRuns or PipelineRuns that use the HTTP resolver to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e5b119fe3cd2cdfa01c1
Added to database: 4/21/2026, 9:01:37 PM
Last enriched: 4/21/2026, 9:17:01 PM
Last updated: 4/22/2026, 6:07:11 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.