Path Traversal in Tektoncd Pipeline
CVE-2026-33211
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path trav…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.000 (8.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N.
Affected products
- Tektoncd Pipeline — versions >= 1.0.0, < 1.0.1, >= 1.1.0, < 1.3.3, >= 1.4.0, < 1.6.1
Weakness classification (CWE)
References
- https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c (x_refsource_CONFIRM)
- https://github.com/tektoncd/pipeline/commit/10fa538f9a2b6d01c75138f1ed7ba3da0e34687c (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/318006c4e3a5 (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/3ca7bc6e6dd1d97f80b84f78370d91edaf023cbd (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/961388fcf3374bc7656d28ab58ca84987e0a75ae (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/b1fee65b88aa969069c14c120045e97c37d9ee5e (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/cdb4e1e97a4f3170f9bc2cbfff83a6c8107bc3db (x_refsource_MISC)
- https://github.com/tektoncd/pipeline/commit/ec7755031a183b345cf9e64bea0e0505c1b9cb78 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-33211?
- CVE-2026-33211 is a critical-severity vulnerability in Tektoncd Pipeline, classified under Path Traversal. CVSS score: 9.6/10. Published 2026-03-23.
- How severe is CVE-2026-33211?
- Critical severity. CVSS v3 base score is 9.6 out of 10.