Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tekton Pipelines relies on its VerificationPolicy to validate resource source strings against patterns defined in spec.resources[].pattern using Go's regexp.MatchString. Because regexp.MatchString returns true when a pattern appears anywhere in the string, unanchored patterns can be bypassed by attacker‑controlled source strings that contain the trusted pattern as a substring. This flaw allows an unintended policy match, causing the pipeline to be verified under an incorrect set of keys or verification modes. The result is that an attacker may gain unauthorized control over the CI/CD workflow by having a resource accepted with the wrong credentials.

Affected Systems

This vulnerability affects Tekton Pipelines versions from 0.43.0 up to, but not including, the fixed releases 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1. Any cluster running a version older than those fixes and relying on VerificationPolicies for resource validation is impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score of < 1% indicates a very low exploitation probability, suggesting that the likelihood of attack is low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker who can supply or influence pipeline resource definitions, inserting a source string that contains the trusted pattern as a substring. By doing so, the attacker can cause an unintended policy match and alter the verification mode or keys applied to the pipeline. The exploitation requires the ability to modify or author a resource within the cluster, which may be achievable through privileged user or compromised CI tooling.

Generated by OpenCVE AI on May 22, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tekton Pipelines to version 1.12.0 or later, where the pattern matching logic has been corrected to enforce exact matches or proper anchoring.
  • If an upgrade is not immediately possible, modify existing VerificationPolicy patterns to include explicit start (^) and end ($) anchors so that only exact matches will succeed.
  • Audit all current VerificationPolicy configurations and verify that the applied keys and verification modes match the intended specifications, and monitor for any unexpected changes to policy application.

Generated by OpenCVE AI on May 22, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmx9-2pp3-xhcr Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
History

Fri, 22 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply. Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation tekton Pipelines
CPEs cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
Vendors & Products Linuxfoundation
Linuxfoundation tekton Pipelines

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-625
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Tektoncd
Tektoncd pipeline
Vendors & Products Tektoncd
Tektoncd pipeline

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
Title Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Linuxfoundation Tekton Pipelines
Tektoncd Pipeline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T16:06:24.202Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25542

cve-icon Vulnrichment

Updated: 2026-04-21T16:48:11.309Z

cve-icon NVD

Status : Modified

Published: 2026-04-21T17:16:24.213

Modified: 2026-05-22T17:16:45.547

Link: CVE-2026-25542

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T16:05:43Z

Links: CVE-2026-25542 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T18:00:14Z

Weaknesses