Cyber Resilience

CVE-2026-40161

HighUpdated

Published: 21 April 2026

Published
21 April 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0004 11.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40161 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Linuxfoundation Tekton Pipelines. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-40161 is a vulnerability in the Tekton Pipelines project, which provides Kubernetes-style resources for declaring CI/CD-style pipelines. It affects the git resolver in API mode for versions 1.0.0 through 1.10.0. When a user omits the token parameter, the resolver sends the system-configured Git API token to a user-controlled serverURL. The issue carries a CVSS score of 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is linked to CWE-201.

A tenant with permissions to create TaskRun or PipelineRun resources can exploit this vulnerability over the network with low complexity and no user interaction required. By setting the serverURL to an attacker-controlled endpoint, the attacker can exfiltrate the shared system Git API token, such as a GitHub Personal Access Token (PAT) or GitLab token, leading to high confidentiality impact in a scoped environment.

Mitigation details and patches are documented in the Tekton security advisory at https://github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff, along with related issues at https://github.com/tektoncd/pipeline/issues/9608 and https://github.com/tektoncd/pipeline/issues/9609.

EU & UK References

Vulnerability details

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a…

more

user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

The vulnerability directly enables an attacker with TaskRun/PipelineRun creation permissions to cause the git resolver to send the system Git API token to an attacker-controlled serverURL, facilitating theft of an application access token.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33211Same product: Linuxfoundation Tekton Pipelines
CVE-2026-40938Same product: Linuxfoundation Tekton Pipelines
CVE-2026-28481Shared CWE-201
CVE-2026-24835Same vendor: Linuxfoundation
CVE-2026-37532Same vendor: Linuxfoundation
CVE-2025-68136Same vendor: Linuxfoundation
CVE-2026-33247Same vendor: Linuxfoundation
CVE-2024-24422Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
tekton pipelines
1.0.0 — 1.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved information flow rules so the system-configured Git API token is never transmitted to a user-supplied serverURL.

prevent

Mediates access to the shared Git token, ensuring it is only released when the resolver's destination has been explicitly authorized.

prevent

Validates the serverURL parameter before the resolver uses it, rejecting untrusted or attacker-controlled endpoints that would receive the token.

References