Tekton Pipeline Git Resolver Git Argument Injection Vulnerability
The Tekton Pipeline Git Resolver is vulnerable to git argument injection due to the unsanitized `revision` parameter in the `git fetch` command, allowing remote code execution on the resolver pod and cluster-wide secret exfiltration.
The Tekton Pipeline Git Resolver is susceptible to a git argument injection vulnerability. This flaw stems from the improper sanitization of the revision parameter, which is directly passed to the git fetch command. This allows an attacker to inject arbitrary git fetch flags, such as --upload-pack=<binary>. Coupled with the ability to specify local filesystem paths as Git repositories, this enables a malicious actor to execute arbitrary binaries on the resolver pod. The vulnerability affects Tekton Pipelines versions 1.0.0 through 1.11.0. Successful exploitation leads to full cluster-wide secret exfiltration due to the resolver pod's ServiceAccount permissions. This vulnerability impacts any Tekton Pipeline installation where untrusted users can submit ResolutionRequest objects.
Attack Chain
- An attacker crafts a
ResolutionRequestobject with a maliciousrevisionparameter. This parameter contains agit fetchflag such as--upload-pack=/usr/bin/curl. Theurlparameter is set to a local file system path. - The Tekton Git Resolver receives the
ResolutionRequestand calls thecheckoutfunction inpkg/resolution/resolver/git/repository.go. - The
checkoutfunction executesgit fetch origin <malicious revision> --depth=1viaexec.CommandContext, without any validation on the revision parameter. - Git interprets the injected
--upload-packflag and executes the specified binary (e.g.,/usr/bin/curl) on the resolver pod. The path to a git repository is passed to the executed command as an argument. - The attacker uses the executed binary (e.g. curl) to exfiltrate sensitive information, such as the service account token found at
/var/run/secrets/kubernetes.io/serviceaccount/token. - The attacker uses the service account token to read secrets from the Kubernetes API, since the
tekton-pipelines-resolversServiceAccount has cluster-wideget/list/watchpermissions on all Secrets. - The attacker escalates privileges by using the exfiltrated secrets, such as kubeconfig files or cloud provider credentials, to move laterally within the cloud infrastructure.
Impact
This vulnerability allows for arbitrary code execution on the Tekton Pipeline resolver pod. Since the tekton-pipelines-resolvers ServiceAccount possesses cluster-wide get/list/watch permissions on all Secrets, successful exploitation leads to full cluster-wide Secret exfiltration. This can then be leveraged for privilege escalation and lateral movement within the associated cloud infrastructure. The impact is significant, potentially leading to complete compromise of the Kubernetes cluster and associated resources. This issue affects Tekton Pipelines installations with versions ranging from 1.0.0 to 1.11.0.
Recommendation
- Deploy the Sigma rule
Detect Tekton Git Resolver Upload Pack Injectionto detect exploitation attempts by monitoring process creations with the--upload-packargument. - Apply Fix 1 as described in the advisory by validating that the
revisionparameter does not begin with a-character inPopulateDefaultParams. - Apply Fix 2 by restricting
validateRepoURLto remote URLs only to eliminate local-path remotes. - Upgrade Tekton Pipelines to a patched version beyond 1.11.0 to remediate CVE-2026-40938.
Detection coverage 2
Detect Tekton Git Resolver Upload Pack Injection
criticalDetects process creations that use the `--upload-pack` argument, indicating a potential git argument injection vulnerability in the Tekton Git Resolver.
Detect Tekton Git Resolver Local Path Access
mediumDetects process creations where git is used with a local file path as the repository URL, potentially indicating exploitation of the local path vulnerability in Tekton Git Resolver.
Detection queries are available on the platform. Get full rules →