Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: RegEx pattern bypass causing unintended policy match
Action: Apply patch
AI Analysis

Impact

Tekton Pipelines uses regular expression matching in its VerificationPolicy to validate resource source strings against defined patterns. The Go function used, regexp.MatchString, reports a match when the pattern appears anywhere in the target string. Consequently, unanchored patterns can be circumvented when an attacker controls a source string that contains the trusted pattern as a substring, allowing the policy to falsely approve the resource. This flaw can result in a pipeline configuration being verified under an incorrect set of keys or modes, potentially enabling the execution of malicious or unauthorized code within the CI/CD workflow.

Affected Systems

The vulnerability affects Tekton Pipelines versions 0.43.0 through 1.11.0 released by the TektonCD project. Any cluster running a version in this range and relying on VerificationPolicies for resource validation is impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker who can supply or influence pipeline resource definitions, inserting a source string that contains the trusted pattern as a substring. By doing so, the attacker can cause an unintended policy match and alter the verification mode or keys applied to the pipeline. The exploitation requires the ability to modify or author a resource within the cluster, which may be achievable through privileged user or compromised CI tooling.

Generated by OpenCVE AI on April 21, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tekton Pipelines to version 1.12.0 or later, where the pattern matching logic has been corrected to enforce exact matches or proper anchoring.
  • If an upgrade is not immediately possible, modify existing VerificationPolicy patterns to include explicit start (^) and end ($) anchors so that only exact matches will succeed.
  • Audit all current VerificationPolicy configurations and verify that the applied keys and verification modes match the intended specifications, and monitor for any unexpected changes to policy application.

Generated by OpenCVE AI on April 21, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmx9-2pp3-xhcr Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching
History

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Tektoncd
Tektoncd pipeline
Vendors & Products Tektoncd
Tektoncd pipeline

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
Title Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Tektoncd Pipeline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T16:48:15.671Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25542

cve-icon Vulnrichment

Updated: 2026-04-21T16:48:11.309Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:24.213

Modified: 2026-04-21T17:16:24.213

Link: CVE-2026-25542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses