LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-33211

CVE-2026-33211 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 24, 2026

Tekton Pipelines - Path Traversal

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

Tekton Pipelines >= 1.0.0 and < 1.0.1, < 1.3.3, < 1.6.1, < 1.9.2, < 1.10.2 contains a path traversal caused by improper validation of the pathInRepo parameter in the git resolver, letting tenants with ResolutionRequest creation permissions read arbitrary files including ServiceAccount tokens, exploit requires tenant permissions.

Severity & Score

Severity: Critical
CVSS Score: 9.6
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers with tenant permissions can read arbitrary files including sensitive tokens, risking credential theft and further system compromise.

Mitigation

Upgrade to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2 or later.

References

Social Media Activity(4 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 24, 2026

šŸšØ CRITICAL: CVE-2026-33211 in Tekton Pipelines (git resolver) enables path traversal attacks via pathInRepo, exposing sensitive files (like ServiceAccount tokens). Upgrade to fixed versions immediately. Details: https://radar.offseq.com/threat/cve-2026-33211-cwe-22-improper-limitation-of-a-pat-2bb49643 #OffSeq #Tekton #Kubernetes #Infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 24, 2026

šŸ”“ CVE-2026-33211 - Critical (9.6) Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal vi... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33211/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 24, 2026

šŸšØ CRITICAL: CVE-2026-33211 in Tekton Pipelines (git resolver) enables path traversal attacks via pathInRepo, exposing sensitive files (like ServiceAccount tokens). Upgrade to fixed versions immediately. Details: https://radar.offseq.com/threat/cve-2026-33211-cwe-22-improper-limitation-of-a-pat-2bb49643 #OffSeq #Tekton #Kubernetes #Infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 24, 2026

šŸ”“ CVE-2026-33211 - Critical (9.6) Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2, the Tekton Pipelines git resolver is vulnerable to path traversal vi... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33211/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-33211
Severity
Critical
CVSS Score
9.6
Type
path_traversal
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days