CVE-2026-40923

low-risk

Published 2026-04-21

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. This vulnerability is fixed in 1.11.1.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Tekton Pipelines

Affected Vendors

Linuxfoundation

References (2)

Release Notes https://github.com/tektoncd/pipeline/releases/tag/v1.11.1

Vendor Advisory https://github.com/tektoncd/pipeline/security/advisories/GHSA-rx35-6rhx-7858

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal