CVE-2026-40161: Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

April 21, 2026 (updated May 21, 2026)

The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.

References

github.com/advisories/GHSA-wjxp-xrpv-xpff
github.com/tektoncd/pipeline/issues/9608
github.com/tektoncd/pipeline/issues/9609
github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff
nvd.nist.gov/vuln/detail/CVE-2026-40161

Code Behaviors & Features

Detect and mitigate CVE-2026-40161 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →