AIKIDO-2026-10516

github.com/tektoncd/pipeline is vulnerable to Insertion of Sensitive Information Into Sent Data

Insertion of Sensitive Information Into Sent DataCVE-2026-40161 Published Apr 23, 2026

High Risk

This Affects:

github.com/tektoncd/pipeline

1.0.0 - 1.0.1

Fixed in 1.0.2

1.2.28 - 1.3.3

Fixed in 1.3.4

1.4.0 - 1.6.1

Fixed in 1.6.2

1.7.0 - 1.9.2

Fixed in 1.9.3

1.10.0 - 1.11.0

Fixed in 1.11.1

Are you affected? Scan for Free

TL;DR

An improper access control issue in Tekton Pipelines git resolver API mode allowed users with permission to create TaskRun or PipelineRun resources to supply a user-controlled serverURL while omitting the token parameter, causing the resolver to reuse the system-configured Git API token for requests to an attacker-controlled server. This enabled exfiltration of shared credentials such as GitHub PATs or GitLab tokens, potentially exposing private repositories, source code, CI/CD configuration, and other sensitive data.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

github.com/tektoncd/pipeline is vulnerable to Insertion of Sensitive Information Into Sent Data in versions 1.10.0 - 1.11.0, 1.7.0 - 1.9.2, 1.4.0 - 1.6.1, 1.2.28 - 1.3.3 and 1.0.0 - 1.0.1.