CVE-2026-33211: Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod

March 18, 2026

The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests (e.g. by creating TaskRuns or PipelineRuns that use the git resolver) can read arbitrary files from the resolver pod’s filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in resolutionrequest.status.data.

References

github.com/advisories/GHSA-j5q5-j9gm-2w5c
github.com/tektoncd/pipeline
github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c
nvd.nist.gov/vuln/detail/CVE-2026-33211

Code Behaviors & Features

Detect and mitigate CVE-2026-33211 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →