GHSA-WJXP-XRPV-XPFF

Vulnerability from github – Published: 2026-04-21 18:52 – Updated: 2026-04-21 18:52
VLAI?
Summary
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Details

Summary

The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint.

Details

The git resolver's ResolveAPIGit() function in pkg/resolution/resolver/git/resolver.go constructs an SCM client using the user-supplied serverURL and a token obtained via getAPIToken().

When the user provides serverURL but omits the token parameter:

  1. getSCMTypeAndServerURL() reads serverURL directly from user params (params[ServerURLParam]) with no validation against the system-configured URL.

  2. secretRef is set to nil because the user did not provide a token parameter.

  3. getAPIToken(ctx, nil, APISecretNameKey) is called. It detects apiSecret == nil, creates a new secretCacheKey, and populates it from the system-configured secret (conf.APISecretName / conf.APISecretNamespace / SYSTEM_NAMESPACE).

  4. clientFunc(scmType, serverURL, string(apiToken)) creates an SCM client pointed at the attacker-controlled URL with the system token. The SCM factory sets the token as an Authorization header on the HTTP client.

  5. All subsequent API calls (Contents.Find, Git.FindCommit) carry the system token to the attacker URL.

Impact

The system Git API token (GitHub PAT, GitLab token, etc.) is exfiltrated to an attacker-controlled endpoint. This token typically has read access to private repositories containing source code, secrets, and CI/CD configurations.

This follows the same threat model as GHSA-j5q5-j9gm-2w5c (published March 2026): a namespace-scoped tenant with permission to create TaskRuns exploits the git resolver to exfiltrate credentials. The prior advisory involved reading the resolver pod's ServiceAccount token via path traversal. This finding involves redirecting the system Git API token via serverURL.

Patches

(to be filled in after fix is merged and released)

The fix validates that when serverURL is user-provided and differs from the system-configured server URL, the user must also provide their own token parameter. Using the system token with a non-system server URL is rejected.

Workarounds

  • Do not configure a system-level API token in the git resolver ConfigMap. Instead, require all users to provide their own tokens via the token parameter.
  • Restrict TaskRun creation — limit which users or ServiceAccounts can create TaskRuns and PipelineRuns that use the git resolver.
  • Network egress policies — apply NetworkPolicy to the tekton-pipelines-resolvers namespace to restrict outbound traffic to known-good Git servers only.

Affected Versions

All releases from v1.0.0 through v1.10.0, including all patch releases. The API mode of the git resolver has been present since the resolver was introduced.

Releases prior to v1.0.0 are not affected because the git resolver either did not exist or did not have API mode.

Acknowledgments

This vulnerability was reported by Koda Reef (@kodareef5), who provided a detailed analysis and proof-of-concept. Thank you!

References

  • Prior advisory: GHSA-j5q5-j9gm-2w5c
  • Related: #9608 (deprecate api-token-secret-namespace)
  • Related: #9609 (SubjectAccessReview for resolver secrets)
Severity ?
7.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tektoncd/pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T18:52:18Z",
    "nvd_published_at": "2026-04-21T17:16:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled `serverURL` when the user omits the `token` parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing `serverURL` to an attacker-controlled endpoint.\n\n### Details\n\nThe git resolver\u0027s `ResolveAPIGit()` function in `pkg/resolution/resolver/git/resolver.go` constructs an SCM client using the user-supplied `serverURL` and a token obtained via `getAPIToken()`.\n\nWhen the user provides `serverURL` but omits the `token` parameter:\n\n1. `getSCMTypeAndServerURL()` reads `serverURL` directly from user params (`params[ServerURLParam]`) with no validation against the system-configured URL.\n\n2. `secretRef` is set to `nil` because the user did not provide a token parameter.\n\n3. `getAPIToken(ctx, nil, APISecretNameKey)` is called. It detects `apiSecret == nil`, creates a new `secretCacheKey`, and populates it from the system-configured secret (`conf.APISecretName` / `conf.APISecretNamespace` / `SYSTEM_NAMESPACE`).\n\n4. `clientFunc(scmType, serverURL, string(apiToken))` creates an SCM client pointed at the attacker-controlled URL with the system token. The SCM factory sets the token as an `Authorization` header on the HTTP client.\n\n5. All subsequent API calls (`Contents.Find`, `Git.FindCommit`) carry the system token to the attacker URL.\n\n### Impact\n\nThe system Git API token (GitHub PAT, GitLab token, etc.) is exfiltrated to an attacker-controlled endpoint. This token typically has read access to private repositories containing source code, secrets, and CI/CD configurations.\n\nThis follows the same threat model as GHSA-j5q5-j9gm-2w5c (published March 2026): a namespace-scoped tenant with permission to create TaskRuns exploits the git resolver to exfiltrate credentials. The prior advisory involved reading the resolver pod\u0027s ServiceAccount token via path traversal. This finding involves redirecting the system Git API token via `serverURL`.\n\n### Patches\n\n_(to be filled in after fix is merged and released)_\n\nThe fix validates that when `serverURL` is user-provided and differs from the system-configured server URL, the user must also provide their own `token` parameter. Using the system token with a non-system server URL is rejected.\n\n### Workarounds\n\n- **Do not configure a system-level API token** in the git resolver ConfigMap. Instead, require all users to provide their own tokens via the `token` parameter.\n- **Restrict TaskRun creation** \u2014 limit which users or ServiceAccounts can create TaskRuns and PipelineRuns that use the git resolver.\n- **Network egress policies** \u2014 apply `NetworkPolicy` to the `tekton-pipelines-resolvers` namespace to restrict outbound traffic to known-good Git servers only.\n\n### Affected Versions\n\nAll releases from **v1.0.0** through **v1.10.0**, including all patch releases. The API mode of the git resolver has been present since the resolver was introduced.\n\nReleases prior to v1.0.0 are not affected because the git resolver either did not exist or did not have API mode.\n\n### Acknowledgments\n\nThis vulnerability was reported by Koda Reef (@kodareef5), who provided a detailed analysis and proof-of-concept. Thank you!\n\n### References\n\n- Prior advisory: [GHSA-j5q5-j9gm-2w5c](https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c)\n- Related: #9608 (deprecate `api-token-secret-namespace`)\n- Related: #9609 (SubjectAccessReview for resolver secrets)",
  "id": "GHSA-wjxp-xrpv-xpff",
  "modified": "2026-04-21T18:52:18Z",
  "published": "2026-04-21T18:52:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/issues/9608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tektoncd/pipeline/issues/9609"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tektoncd/pipeline"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.