{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33211/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tekton","path-traversal","kubernetes","cve-2026-33211","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Tekton Pipelines project provides Kubernetes-style resources for declaring CI/CD pipelines. A path traversal vulnerability exists in the git resolver component, tracked as CVE-2026-33211. This vulnerability affects Tekton Pipelines versions 1.0.0 and prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. An attacker with the ability to create \u003ccode\u003eResolutionRequests\u003c/code\u003e (e.g., through \u003ccode\u003eTaskRuns\u003c/code\u003e or \u003ccode\u003ePipelineRuns\u003c/code\u003e that utilize the git resolver) can exploit this flaw to read any file from the resolver pod\u0026rsquo;s file system. A successful exploit allows attackers to retrieve sensitive information, such as ServiceAccount tokens, which are base64-encoded and returned in \u003ccode\u003eresolutionrequest.status.data\u003c/code\u003e. The vulnerability has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. This poses a significant risk in multi-tenant environments where lateral movement and privilege escalation are possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to create \u003ccode\u003eTaskRuns\u003c/code\u003e or \u003ccode\u003ePipelineRuns\u003c/code\u003e within a Tekton Pipelines environment.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eResolutionRequest\u003c/code\u003e that leverages the git resolver.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eResolutionRequest\u003c/code\u003e, the attacker injects a path traversal sequence into the \u003ccode\u003epathInRepo\u003c/code\u003e parameter, such as \u0026ldquo;../../../../etc/passwd\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe git resolver attempts to resolve the resource using the provided path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the resolver accesses the file specified by the attacker on the resolver pod\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe contents of the accessed file are read by the resolver.\u003c/li\u003e\n\u003cli\u003eThe resolver encodes the file content in base64.\u003c/li\u003e\n\u003cli\u003eThe base64-encoded content is returned in the \u003ccode\u003eresolutionrequest.status.data\u003c/code\u003e field, allowing the attacker to retrieve the content. This can include sensitive files such as ServiceAccount tokens.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33211 allows attackers to read arbitrary files from the Tekton Pipelines resolver pod. This can lead to the compromise of sensitive information, including ServiceAccount tokens. If ServiceAccount tokens are compromised, attackers can potentially gain unauthorized access to Kubernetes resources, leading to privilege escalation, lateral movement within the cluster, and potential data exfiltration. The impact is especially high in multi-tenant environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tekton Pipelines to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2 or later to patch CVE-2026-33211.\u003c/li\u003e\n\u003cli\u003eImplement strict RBAC policies to limit the ability to create \u003ccode\u003eTaskRuns\u003c/code\u003e and \u003ccode\u003ePipelineRuns\u003c/code\u003e to only authorized users and service accounts.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes API audit logs for suspicious \u003ccode\u003eResolutionRequest\u003c/code\u003e creation events (see rule: \u0026ldquo;Detect Suspicious ResolutionRequest Creation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network policies to restrict network access from the resolver pod to only necessary resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T00:16:29Z","date_published":"2026-03-24T00:16:29Z","id":"/briefs/2026-03-tekton-traversal/","summary":"The Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter, allowing arbitrary file reads from the resolver pod's filesystem, including ServiceAccount tokens.","title":"Tekton Pipelines Git Resolver Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tekton-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33211","version":"https://jsonfeed.org/version/1.1"}