fix(cve): CVE-2026-40938, CVE-2026-40161 - bump tektoncd/pipeline to v1.3.4 [release-v0.42.2]#2868
Open
divyansh42 wants to merge 1 commit into
Conversation
tekton-robot
added
do-not-merge/release-note-label-needed
divyansh42
force-pushed
the
fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1
branch
from
37db085 to
7a9e82a
Compare
tekton-robot
removed
the
needs-rebase
Member
Author
|
/release-note-none |
tekton-robot
added
release-note-none
Member
Author
|
/hold |
tekton-robot
added
the
do-not-merge/hold
divyansh42
changed the title
divyansh42
force-pushed
the
fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1
branch
from
7a9e82a to
01aa02d
Compare
tekton-robot
added
size/XXL
…v1.3.4 - Update github.com/tektoncd/pipeline from v1.3.1 to v1.3.4 - CVE-2026-40938 (Critical): Arbitrary code execution and secret exfiltration via malicious git commands in the git resolver - CVE-2026-40161 (High): Information disclosure of Git API token via user-controlled serverURL in the git resolver Resolves: SRVKP-11720, SRVKP-11650 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: divyansh42 <diagrawa@redhat.com>
divyansh42
force-pushed
the
fix/cve-2026-40938-cve-2026-40161-tektoncd-pipeline-release-v0.42.2-attempt-1
branch
from
01aa02d to
bed4851
Compare
tekton-robot
added
size/L
Member
Author
|
/hold cancel |
tekton-robot
removed
the
do-not-merge/hold
Contributor
|
/approve |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pratap0007 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE Details
CVE-2026-40938 (Critical)
Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands
The git resolver's
revisionparameter is passed directly togit fetchwithout validation. An attacker can inject arbitrary git fetch flags via the--upload-pack=flag, enabling arbitrary code execution on the resolver pod.github.com/tektoncd/pipeline v1.3.4CVE-2026-40161 (High)
Tekton Pipelines: Information disclosure of Git API token via user-controlled serverURL
The git resolver in API mode sends the system-configured Git API token to a user-controlled
serverURL, enabling token exfiltration.github.com/tektoncd/pipeline v1.3.4Fix Summary
Updated
github.com/tektoncd/pipelinefromv1.3.1tov1.3.4ingo.modand ran./hack/update-deps.sh.go.modgithub.com/tektoncd/pipeline v1.3.1→v1.3.4go.sumvendor/hack/update-deps.shthird_party/Test Results
go mod tidygo build -mod=vendor ./...go mod verifyJira References
SRVKP-11720, SRVKP-11650