Skip to content

Security: Fix CVE-2026-40938 - tektoncd/pipeline git resolver argument injection#3381

Merged
tekton-robot merged 1 commit intorelease-v0.78.xfrom
fix/cve-2026-40938-tektoncd-pipeline-release-v0.78.x-attempt-3
Apr 30, 2026
Merged

Security: Fix CVE-2026-40938 - tektoncd/pipeline git resolver argument injection#3381
tekton-robot merged 1 commit intorelease-v0.78.xfrom
fix/cve-2026-40938-tektoncd-pipeline-release-v0.78.x-attempt-3

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented Apr 29, 2026
edited
Loading

Summary

This PR fixes CVE-2026-40938 by upgrading github.com/tektoncd/pipeline from v1.6.1 to v1.6.2.

CVE Details

Field Value
CVE ID CVE-2026-40938
GHSA GHSA-94jr-7pqp-xhcq
Package github.com/tektoncd/pipeline
Severity HIGH
Impact Git resolver unsanitized revision parameter enables argument injection into the git CLI, potentially leading to remote code execution on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution enables full cluster-wide secret exfiltration.
Vulnerable versions v1.0.0 – v1.6.1
Fixed version v1.6.2
Jira Issues SRVKP-11752

Additional CVEs Fixed in v1.6.2

This upgrade also resolves the following security issues:

Changes

go.mod:   github.com/tektoncd/pipeline v1.6.1 → v1.6.2
go.sum:   updated checksums
vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1/container_validation.go:     filepath.Clean fix (CVE-2026-40923)
vendor/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1/task_validation.go:    filepath.Clean fix (CVE-2026-40923)
vendor/modules.txt:  version updated

5 files changed, 12 insertions(+), 9 deletions(-)

Test Results

Status: ⚠️ TIMEOUT (no failures)

Tests discovered: Yes
Test command: go test ./...
Exit code: 124 (timeout — same behavior as previous automation runs on this repo)
Duration: 5m (timeout limit)

Result Count
Packages passed 8
Packages failed 0
Packages timed out remaining (long-running integration tests)

Packages passed:

  • pkg/apis/operator/v1alpha1
  • pkg/common
  • pkg/reconciler/common
  • pkg/reconciler/common/tektoninstallerset
  • pkg/reconciler/kubernetes/tektonchain
  • pkg/reconciler/kubernetes/tektonconfig/extension
  • pkg/reconciler/kubernetes/tektondashboard
  • pkg/reconciler/kubernetes/tektoninstallerset

The timeout is expected — this repo has long-running integration tests requiring a live cluster. All unit tests that completed passed with 0 failures. Full test coverage will be provided by CI after this PR.

Breaking Changes

None. This is a patch-level upgrade within the v1.6.x minor line. The only API changes are:

  • filepath.Clean() applied to VolumeMount paths before the /tekton/ prefix check (CVE-2026-40923 fix) — this is a security hardening change that rejects previously-invalid paths like /tekton/../sensitive

Verification Steps

  • Confirm github.com/tektoncd/pipeline is at v1.6.2 in go.mod
  • Run go mod verify to confirm checksums
  • Verify CVE is resolved: govulncheck -show verbose ./... should not report CVE-2026-40938
  • CI tests pass
  • Review VolumeMount validation change for any edge cases

Risk Assessment

Dimension Assessment
Overall Risk Low
Change scope Minimal — patch upgrade within same minor version
Breaking changes None for valid inputs
Rollback Revert go.mod/go.sum/vendor to v1.6.1

🤖 Generated by CVE Fixer Workflow | Resolves: SRVKP-11752

Release Notes

Security fix: upgrade github.com/tektoncd/pipeline from v1.6.1 to v1.6.2 to address CVE-2026-40938 (HIGH) - git resolver argument injection enabling RCE and secret exfiltration.

@jkhelil @claude
fix(cve): CVE-2026-40938 - tektoncd/pipeline git resolver argument in…
1f2e797 
…jection

- Upgrade github.com/tektoncd/pipeline v1.6.1 → v1.6.2
- Fixes GHSA-94jr-7pqp-xhcq: git resolver unsanitized revision parameter
  enables argument injection into git CLI, enabling RCE on resolver pod
- Also fixes GHSA-wjxp-xrpv-xpff (CVE-2026-40161): git resolver API mode
  token leak via user-controlled serverURL
- Also fixes GHSA-rx35-6rhx-7858 (CVE-2026-40923): VolumeMount path
  restriction bypass via missing filepath normalization
- Also fixes GHSA-rmx9-2pp3-xhcr (CVE-2026-25542): VerificationPolicy
  regex pattern bypass via substring matching
- Also fixes GHSA-m2cx-gpqf-qf74 (CVE-2026-40924): HTTP resolver OOM DoS

Resolves: SRVKP-11752

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Apr 29, 2026
@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 29, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented Apr 29, 2026

/approve

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Apr 29, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 29, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented Apr 29, 2026

/lgtm

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented Apr 29, 2026

@jkhelil: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mbpavan
Copy link
Copy Markdown
Contributor

mbpavan commented Apr 30, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2026
@tekton-robot tekton-robot merged commit fe2392a into release-v0.78.x Apr 30, 2026
12 checks passed
@jkhelil jkhelil deleted the fix/cve-2026-40938-tektoncd-pipeline-release-v0.78.x-attempt-3 branch April 30, 2026 05:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pratap0007 pratap0007 Awaiting requested review from pratap0007

@PuneetPunamiya PuneetPunamiya Awaiting requested review from PuneetPunamiya

Assignees

@mbpavan mbpavan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkhelil @tekton-robot @mbpavan