Tekton Pipelines Git Resolver Leaks API Tokens

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-201
Tekton Pipelines Git Resolver Leaks API Tokens

The National Vulnerability Database (NVD) has disclosed a critical vulnerability, CVE-2026-40161, impacting the Tekton Pipelines project. Versions from 1.0.0 to 1.10.0 contain a flaw in the git resolver when operating in API mode. Specifically, if a user omits the token parameter while configuring the serverURL, the system-configured Git API token (such as a GitHub PAT or GitLab token) is sent to that user-controlled serverURL.

This vulnerability allows a tenant with TaskRun or PipelineRun creation permissions to exfiltrate these sensitive API tokens. By manipulating the serverURL to point to an attacker-controlled endpoint, they can effectively steal credentials used for CI/CD operations. The NVD assigned this a CVSS score of 7.7 (HIGH), highlighting the significant risk of data exposure and potential downstream compromises.

Defenders must prioritize patching or upgrading Tekton Pipelines installations beyond version 1.10.0. For environments that cannot be immediately updated, review Git token configurations and ensure that only trusted serverURL values are permitted. Auditing Git token usage and access logs can help detect any unauthorized exfiltration attempts.

What This Means For You

  • If your organization uses Tekton Pipelines (versions 1.0.0-1.10.0), immediately review your CI/CD configurations. Ensure that Git API tokens are not being exposed via a user-controlled `serverURL` and prioritize upgrading to a patched version to prevent token exfiltration.

Related ATT&CK Techniques

T1041 Exfiltration Over C2 Channel Exfiltration T1537 Transfer Data to Cloud Account Exfiltration T1071.004 Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1537 Exfiltration

Tekton Git Resolver API Token Exfiltration via ServerURL - CVE-2026-40161

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40161 Information Disclosure Tekton Pipelines git resolver in API mode
CVE-2026-40161 Information Disclosure Tekton Pipelines versions 1.0.0 to 1.10.0
CVE-2026-40161 Information Disclosure Exfiltration of Git API token (GitHub PAT, GitLab token) via user-controlled serverURL

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6744 — Bagisto Server-Side Request Forgery

CVE-2026-6744 — A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

Kyverno Policy Engine Flaw Leaks Service Account Tokens

CVE-2026-40868 — Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer...

vulnerabilityCVEhigh-severitycwe-922
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma

Coturn ARM64 Crash: Unauthenticated DoS via Crafted STUN Message

CVE-2026-40613 — Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform...

vulnerabilityCVEhigh-severitycwe-704
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 1 Sigma