{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40161/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-40161"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["tekton","credential-access","cve-2026-40161"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTekton Pipelines, a Kubernetes-style resource for declaring CI/CD pipelines, contains a vulnerability (CVE-2026-40161) in its git resolver component. Specifically, versions 1.0.0 to 1.10.0 are affected. When operating in API mode, the resolver inadvertently sends the system-configured Git API token (e.g., GitHub PAT, GitLab token) to a server specified by the user if the token parameter is omitted. This allows an attacker with TaskRun or PipelineRun creation privileges to exfiltrate the shared API token by directing the serverURL to an attacker-controlled endpoint. The vulnerability allows for the potential compromise of CI/CD pipelines and related infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Kubernetes tenant with permissions to create TaskRun or PipelineRun resources within Tekton Pipelines.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TaskRun or PipelineRun configuration.\u003c/li\u003e\n\u003cli\u003eThe configuration leverages the Tekton Pipelines git resolver in API mode.\u003c/li\u003e\n\u003cli\u003eThe attacker omits the \u003ccode\u003etoken\u003c/code\u003e parameter in the git resolver configuration, forcing the system to use the system-configured Git API token.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eserverURL\u003c/code\u003e parameter to an attacker-controlled endpoint.\u003c/li\u003e\n\u003cli\u003eTekton Pipelines, upon execution of the TaskRun or PipelineRun, sends the system-configured Git API token to the attacker-controlled \u003ccode\u003eserverURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server logs and captures the leaked Git API token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated token to access and potentially compromise Git repositories or other services authenticated by the token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40161 allows an attacker to steal the system-configured Git API token used by Tekton Pipelines. This could lead to unauthorized access to Git repositories, the modification of code, and the potential compromise of the entire CI/CD pipeline. Given Tekton\u0026rsquo;s widespread adoption, a successful attack could affect numerous organizations using the vulnerable versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tekton Pipelines to a version greater than 1.10.0 to remediate CVE-2026-40161.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls within the Kubernetes cluster to limit TaskRun and PipelineRun creation privileges to authorized users only.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic originating from Tekton Pipeline pods for connections to unusual or untrusted \u003ccode\u003eserverURL\u003c/code\u003e destinations as specified in CVE-2026-40161. Create a network connection rule for this.\u003c/li\u003e\n\u003cli\u003eReview Tekton Pipeline configurations for suspicious \u003ccode\u003eserverURL\u003c/code\u003e parameters using a file monitoring rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-tekton-credential-leak/","summary":"Tekton Pipelines versions 1.0.0 to 1.10.0 are vulnerable to credential access, where the Git resolver in API mode transmits the system-configured Git API token to a user-controlled serverURL, enabling token exfiltration via a malicious server.","title":"Tekton Pipelines Git Resolver API Token Leak via ServerURL Manipulation (CVE-2026-40161)","url":"https://feed.craftedsignal.io/briefs/2026-04-tekton-credential-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40161","version":"https://jsonfeed.org/version/1.1"}