CVE-2026-25542: Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
The Trusted Resources verification system matches a resource source string (refSource.URI) against spec.resources[].pattern using Go’s regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the input string. As a result, common unanchored patterns—including examples found in Tekton documentation—can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This may cause an unintended policy match and alter which verification mode or keys are applied.
References
- github.com/advisories/GHSA-rmx9-2pp3-xhcr
- github.com/tektoncd/pipeline
- github.com/tektoncd/pipeline/commit/2c398711e6e9e232180508f0648425a8ea34dc9e
- github.com/tektoncd/pipeline/releases/tag/v1.11.0
- github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr
- nvd.nist.gov/vuln/detail/CVE-2026-25542
Code Behaviors & Features
Detect and mitigate CVE-2026-25542 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →