CVE-2026-33211
Published: 24 March 2026
Summary
CVE-2026-33211 is a critical-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Tekton Pipelines. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the pathInRepo parameter to block path traversal attempts, preventing arbitrary file reads from the resolver pod's filesystem including ServiceAccount tokens.
Mandates timely flaw remediation by upgrading Tekton Pipelines to patched versions that fix the path traversal vulnerability in the git resolver.
Enforces least privilege to restrict creation of ResolutionRequests via TaskRuns or PipelineRuns to authorized entities only, limiting potential exploiters in multi-tenant environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary file reads from pod filesystem (T1005), specifically to obtain credentials like ServiceAccount tokens (T1552.001) via software vulnerability exploitation (T1212).
NVD Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal via the `pathInRepo` parameter. A tenant…
more
with permission to create `ResolutionRequests` (e.g. by creating `TaskRuns` or `PipelineRuns` that use the git resolver) can read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. The file contents are returned base64-encoded in `resolutionrequest.status.data`. Versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 contain a patch.
Deeper analysisAI
CVE-2026-33211 is a path traversal vulnerability (CWE-22) in the Tekton Pipelines git resolver, which provides Kubernetes-style resources for declaring CI/CD pipelines. The issue affects versions starting from 1.0.0 and prior to the patched releases 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. Exploitation occurs via the `pathInRepo` parameter, allowing unauthorized access to files outside the intended repository path.
A tenant with permissions to create `ResolutionRequests`—typically gained by initiating `TaskRuns` or `PipelineRuns` that leverage the git resolver—can exploit this flaw. Attackers achieve arbitrary file reads from the resolver pod's filesystem, including sensitive items like ServiceAccount tokens. Retrieved file contents are returned base64-encoded in the `resolutionrequest.status.data` field. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), reflecting its network reach, low attack complexity, low privileges required, and potential for high confidentiality and integrity impacts across a scoped network.
Patched versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2 address the issue, as implemented in the following Tekton Pipelines GitHub commits: 10fa538f9a2b6d01c75138f1ed7ba3da0e34687c, 318006c4e3a5, 3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd, 961388fcf3374bc7656d28ab58ca84987e0a75ae, and b1fee65b88aa969069c14c120045e97c37d9ee5e. Security practitioners should upgrade to these versions and review access controls for `ResolutionRequests` in multi-tenant Kubernetes environments.
Details
- CWE(s)