RHSA-2026:10066
Vulnerability from csaf_redhat - Published: 2026-04-23 06:29 - Updated: 2026-04-23 14:48Summary
Red Hat Security Advisory: Red Hat OpenShift Pipelines Release 1.20.4
Severity
Important
Notes
Topic: The 1.20.4 GA release of Red Hat OpenShift Pipelines Operator..
For more details see [product documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines).
Details: The 1.20.4 release of Red Hat OpenShift Pipelines Operator.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw was found in Tekton Pipelines. Any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness.
6.5 (Medium)
Vendor Fix
Red Hat OpenShift Pipelines is a cloud-native, continuous integration and
continuous delivery (CI/CD) solution based on Kubernetes resources.
It uses Tekton building blocks to automate deployments across multiple
platforms by abstracting away the underlying implementation details.
Tekton introduces a number of standard custom resource definitions (CRDs)
for defining CI/CD pipelines that are portable across Kubernetes distributions.
https://access.redhat.com/errata/RHSA-2026:10066
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal vulnerability via the `pathInRepo` parameter. This allows the tenant to read arbitrary files from the resolver pod's filesystem, leading to information disclosure, including sensitive ServiceAccount tokens. The contents of these files are returned in a base64-encoded format.
9.6 (Critical)
Vendor Fix
Red Hat OpenShift Pipelines is a cloud-native, continuous integration and
continuous delivery (CI/CD) solution based on Kubernetes resources.
It uses Tekton building blocks to automate deployments across multiple
platforms by abstracting away the underlying implementation details.
Tekton introduces a number of standard custom resource definitions (CRDs)
for defining CI/CD pipelines that are portable across Kubernetes distributions.
https://access.redhat.com/errata/RHSA-2026:10066
Workaround
To mitigate this vulnerability, restrict the creation of ResolutionRequests to trusted users and service accounts. Implement strict Role-Based Access Control (RBAC) policies to limit which tenants can create TaskRuns or PipelineRuns that utilize the Tekton Pipelines git resolver. This reduces the exposure by preventing unauthorized access to the resolver pod's filesystem.
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "The 1.20.4 GA release of Red Hat OpenShift Pipelines Operator..\nFor more details see [product documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines).",
"title": "Topic"
},
{
"category": "general",
"text": "The 1.20.4 release of Red Hat OpenShift Pipelines Operator.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10066",
"url": "https://access.redhat.com/errata/RHSA-2026:10066"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33022",
"url": "https://access.redhat.com/security/cve/CVE-2026-33022"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33211",
"url": "https://access.redhat.com/security/cve/CVE-2026-33211"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10066.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Pipelines Release 1.20.4",
"tracking": {
"current_release_date": "2026-04-23T14:48:52+00:00",
"generator": {
"date": "2026-04-23T14:48:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:10066",
"initial_release_date": "2026-04-23T06:29:20+00:00",
"revision_history": [
{
"date": "2026-04-23T06:29:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T06:29:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-23T14:48:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Pipelines 1.2",
"product": {
"name": "Red Hat OpenShift Pipelines 1.2",
"product_id": "Red Hat OpenShift Pipelines 1.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_pipelines:1.20::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Pipelines"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64",
"product": {
"name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64",
"product_id": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64",
"product_identification_helper": {
"purl": "pkg:oci/pipelines-operator-bundle@sha256%3A8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085?arch=amd64\u0026repository_url=registry.redhat.io/openshift-pipelines\u0026tag=1776925111"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64 as a component of Red Hat OpenShift Pipelines 1.2",
"product_id": "Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
},
"product_reference": "registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64",
"relates_to_product_reference": "Red Hat OpenShift Pipelines 1.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33022",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"discovery_date": "2026-03-20T08:01:37.605922+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2449483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Tekton Pipelines. Any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33022"
},
{
"category": "external",
"summary": "RHBZ#2449483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33022",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33022"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6",
"url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj",
"url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj"
}
],
"release_date": "2026-03-20T07:48:15.383000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T06:29:20+00:00",
"details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
"product_ids": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10066"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/tektoncd/pipeline: Tekton Pipelines: Denial of Service via long resolver names"
},
{
"cve": "CVE-2026-33211",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-24T00:02:20.093480+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450554"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal vulnerability via the `pathInRepo` parameter. This allows the tenant to read arbitrary files from the resolver pod\u0027s filesystem, leading to information disclosure, including sensitive ServiceAccount tokens. The contents of these files are returned in a base64-encoded format.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker needs to have the permission to create ResolutionRequests (e.g., by creating TaskRuns or PipelineRuns that use the git resolver) within at least one specific namespace, limiting the exposure of this issue to authenticated users. Also, an attacker can read any file readable by the resolver pod process, including cluster secrets, allowing an escalation of privileges from namespace-scoped access to cluster-wide access. Due to these reasons, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33211"
},
{
"category": "external",
"summary": "RHBZ#2450554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33211",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33211"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33211",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33211"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c",
"url": "https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/318006c4e3a5",
"url": "https://github.com/tektoncd/pipeline/commit/318006c4e3a5"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd",
"url": "https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae",
"url": "https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e",
"url": "https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db",
"url": "https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78",
"url": "https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78"
},
{
"category": "external",
"summary": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c",
"url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c"
}
],
"release_date": "2026-03-23T23:55:54.089000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T06:29:20+00:00",
"details": "Red Hat OpenShift Pipelines is a cloud-native, continuous integration and\ncontinuous delivery (CI/CD) solution based on Kubernetes resources.\nIt uses Tekton building blocks to automate deployments across multiple\nplatforms by abstracting away the underlying implementation details.\nTekton introduces a number of standard custom resource definitions (CRDs)\nfor defining CI/CD pipelines that are portable across Kubernetes distributions.",
"product_ids": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10066"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the creation of ResolutionRequests to trusted users and service accounts. Implement strict Role-Based Access Control (RBAC) policies to limit which tenants can create TaskRuns or PipelineRuns that utilize the Tekton Pipelines git resolver. This reduces the exposure by preventing unauthorized access to the resolver pod\u0027s filesystem.",
"product_ids": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Pipelines 1.2:registry.redhat.io/openshift-pipelines/pipelines-operator-bundle@sha256:8cadde0c138f382b9da827165ddcc141e81f864d389dcb17d270e420c33d1085_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Tekton Pipelines: github.com/tektoncd/pipeline: Tekton Pipelines: Information disclosure via path traversal in git resolver"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…