CVE-2026-40161
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL
Description
### Summary The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled `serverURL` when the user omits the `token` parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing `serverURL` to an attacker-controlled endpoint. ### Details The git resolver's `ResolveAPIGit()` function in `pkg/resolution/resolver/git/resolver.go` constructs an SCM client using the user-supplied `serverURL` and a token obtained via `getAPIToken()`. When the user provides `serverURL` but omits the `token` parameter: 1. `getSCMTypeAndServerURL()` reads `serverURL` directly from user params (`params[ServerURLParam]`) with no validation against the system-configured URL. 2. `secretRef` is set to `nil` because the user did not provide a token parameter. 3. `getAPIToken(ctx, nil, APISecretNameKey)` is called. It detects `apiSecret == nil`, creates a new `secretCacheKey`, and populates it from the system-configured secret (`conf.APISecretName` / `conf.APISecretNamespace` / `SYSTEM_NAMESPACE`). 4. `clientFunc(scmType, serverURL, string(apiToken))` creates an SCM client pointed at the attacker-controlled URL with the system token. The SCM factory sets the token as an `Authorization` header on the HTTP client. 5. All subsequent API calls (`Contents.Find`, `Git.FindCommit`) carry the system token to the attacker URL. ### Impact The system Git API token (GitHub PAT, GitLab token, etc.) is exfiltrated to an attacker-controlled endpoint. This token typically has read access to private repositories containing source code, secrets, and CI/CD configurations. This follows the same threat model as GHSA-j5q5-j9gm-2w5c (published March 2026): a namespace-scoped tenant with permission to create TaskRuns exploits the git resolver to exfiltrate credentials. The prior advisory involved reading the resolver pod's ServiceAccount token via path traversal. This finding involves redirecting the system Git API token via `serverURL`. ### Patches Fixed in: - v1.0.2 (release-v1.0.x branch) - v1.3.4 (release-v1.3.x branch) - v1.6.2 (release-v1.6.x branch) - v1.9.3 (release-v1.9.x branch) - v1.11.1 (release-v1.11.x branch) The fix validates that when `serverURL` is user-provided and differs from the system-configured server URL, the user must also provide their own `token` parameter. Using the system token with a non-system server URL is rejected. ### Workarounds - **Do not configure a system-level API token** in the git resolver ConfigMap. Instead, require all users to provide their own tokens via the `token` parameter. - **Restrict TaskRun creation** — limit which users or ServiceAccounts can create TaskRuns and PipelineRuns that use the git resolver. - **Network egress policies** — apply `NetworkPolicy` to the `tekton-pipelines-resolvers` namespace to restrict outbound traffic to known-good Git servers only. ### Affected Versions All releases from **v1.0.0** through **v1.10.0**, including all patch releases. The API mode of the git resolver has been present since the resolver was introduced. Releases prior to v1.0.0 are not affected because the git resolver either did not exist or did not have API mode. ### Acknowledgments This vulnerability was reported by Koda Reef (@kodareef5), who provided a detailed analysis and proof-of-concept. Thank you! ### References - Prior advisory: [GHSA-j5q5-j9gm-2w5c](https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c) - Related: #9608 (deprecate `api-token-secret-namespace`) - Related: #9609 (SubjectAccessReview for resolver secrets)