CVE-2026-40938: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in tektoncd pipeline
CVE-2026-40938 is a high-severity vulnerability in Tekton Pipelines versions from 1. 0. 0 up to but not including 1. 11. 1. It involves improper neutralization of argument delimiters in the git resolver's revision parameter, allowing an attacker to inject arbitrary git fetch flags. This can lead to arbitrary code execution on the resolver pod. Because the resolver pod's ServiceAccount has cluster-wide permissions to access all Secrets, exploitation can result in full cluster-wide secret exfiltration. The vulnerability is fixed in version 1. 11.
AI Analysis
Technical Summary
Tekton Pipelines' git resolver passes the revision parameter directly as a positional argument to 'git fetch' without validating that it does not start with a '-' character. Since git interprets flags from positional arguments, an attacker can inject malicious git fetch flags such as '--upload-pack=<binary>'. Combined with the validateRepoURL function allowing local filesystem paths, a tenant able to submit ResolutionRequest objects can execute arbitrary binaries on the resolver pod. The resolver pod's ServiceAccount holds cluster-wide get/list/watch permissions on all Secrets, enabling an attacker to exfiltrate all cluster secrets upon successful exploitation. This vulnerability affects versions >=1.0.0 and <1.11.1 and is resolved in version 1.11.1.
Potential Impact
Successful exploitation allows an attacker with permission to submit ResolutionRequest objects to execute arbitrary code on the resolver pod. Given the resolver pod's ServiceAccount has cluster-wide permissions to access all Secrets, this leads to full cluster-wide secret exfiltration. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but high attack complexity.
Mitigation Recommendations
This vulnerability is fixed in Tekton Pipelines version 1.11.1. Users should upgrade to version 1.11.1 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor's versioning information.
CVE-2026-40938: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in tektoncd pipeline
Description
CVE-2026-40938 is a high-severity vulnerability in Tekton Pipelines versions from 1. 0. 0 up to but not including 1. 11. 1. It involves improper neutralization of argument delimiters in the git resolver's revision parameter, allowing an attacker to inject arbitrary git fetch flags. This can lead to arbitrary code execution on the resolver pod. Because the resolver pod's ServiceAccount has cluster-wide permissions to access all Secrets, exploitation can result in full cluster-wide secret exfiltration. The vulnerability is fixed in version 1. 11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tekton Pipelines' git resolver passes the revision parameter directly as a positional argument to 'git fetch' without validating that it does not start with a '-' character. Since git interprets flags from positional arguments, an attacker can inject malicious git fetch flags such as '--upload-pack=<binary>'. Combined with the validateRepoURL function allowing local filesystem paths, a tenant able to submit ResolutionRequest objects can execute arbitrary binaries on the resolver pod. The resolver pod's ServiceAccount holds cluster-wide get/list/watch permissions on all Secrets, enabling an attacker to exfiltrate all cluster secrets upon successful exploitation. This vulnerability affects versions >=1.0.0 and <1.11.1 and is resolved in version 1.11.1.
Potential Impact
Successful exploitation allows an attacker with permission to submit ResolutionRequest objects to execute arbitrary code on the resolver pod. Given the resolver pod's ServiceAccount has cluster-wide permissions to access all Secrets, this leads to full cluster-wide secret exfiltration. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but high attack complexity.
Mitigation Recommendations
This vulnerability is fixed in Tekton Pipelines version 1.11.1. Users should upgrade to version 1.11.1 or later to remediate this issue. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.518Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e5b119fe3cd2cdfa01c5
Added to database: 4/21/2026, 9:01:37 PM
Last enriched: 4/21/2026, 9:16:25 PM
Last updated: 4/21/2026, 10:15:16 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.