Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.
Published: 2026-03-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

Tekton Pipelines crashes its controller when a TaskRun or PipelineRun specifies a custom resolver name of 31 or more characters. The controller generates a deterministic name that exceeds the 63‑character DNS‑1123 label limit; its truncation logic panics, leading to a CrashLoopBackOff that blocks all CI/CD reconciliation until the offending resource is removed. This results in a temporary denial of service for all pipeline activity in the affected cluster.

Affected Systems

The vulnerability impacts the Tekton Pipelines project from the Linux Foundation. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 are affected. All other releases, including 1.0.1 and later patch versions, are considered safe.

Risk and Exploitability

With a CVSS score of 6.5, the threat is moderate. The EPSS score is below 1%, indicating low immediate exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, any user who can create a TaskRun or PipelineRun within the cluster—whether through a CI/CD integration or direct API access—can trigger the crash. The attack does not require remote network access beyond legitimate cluster permissions, but it can disrupt entire CI/CD pipelines cluster‑wide, especially in environments where long custom resolver names are used.

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tekton Pipelines to any release that contains the fix, such as 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2.
  • Inspect existing TaskRun and PipelineRun resources for custom resolver names exceeding 30 characters, and delete or rename those resources to avoid triggering the bug.

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cv4x-93xx-wgfj Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
History

Tue, 24 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation tekton Pipelines
CPEs cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*
Vendors & Products Linuxfoundation
Linuxfoundation tekton Pipelines

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tektoncd
Tektoncd pipeline
Vendors & Products Tektoncd
Tektoncd pipeline

Fri, 20 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.
Title Tekton Pipelines: Controller can panic when setting long resolver names in TaskRun/PipelineRun
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxfoundation Tekton Pipelines
Tektoncd Pipeline
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:07:35.331Z

Reserved: 2026-03-17T17:22:14.667Z

Link: CVE-2026-33022

cve-icon Vulnrichment

Updated: 2026-03-20T16:22:21.183Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:11.293

Modified: 2026-03-24T16:19:48.663

Link: CVE-2026-33022

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T07:48:15Z

Links: CVE-2026-33022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:08Z

Weaknesses