CVE-2026-40924
6.5 MEDIUMTekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines
Published: 2026-04-21 · Last updated: 2026-04-27
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-400
Affected products
| Vendor | Product |
|---|---|
| linuxfoundation | tekton_pipelines |
Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-40924
- [Other]https://github.com/tektoncd/pipeline/releases/tag/v1.11.1
- [Vendor advisory]https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74
- [Vendor advisory]https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74
Related CVEs
Same vendor
- CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
- CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
- CVE-2026-44374 — Backstage is an open framework for building developer portals (4.3 MEDIUM)
- CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
- CVE-2026-37531 — AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-... (9.8 CRITICAL)
Same CWE
- CVE-2026-12325 — Denial-of-service in the Graphics: ImageLib component (6.5 MEDIUM)
- CVE-2026-12319 — Denial-of-service in the Audio/Video: Playback component (6.5 MEDIUM)
- CVE-2026-50889 — An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending ... (7.5 HIGH)
- CVE-2026-50882 — An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted PO... (7.5 HIGH)
- CVE-2026-50879 — An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a ... (7.5 HIGH)