CVE-2026-33022
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.
EPSS 0.02% · 6.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | tektoncd/pipeline | 1.1.0, 1.4.0, 1.7.0 |
| tektoncd | pipeline | >= 0.60.0, < 1.0.1, *, * |
| linuxfoundation | tekton_pipelines | 0.60.0, 1.1.0, 1.4.0 |
Exploit Intelligence
Timeline
- Mar 17, 2026 CVE Published
- Mar 18, 2026 Security Advisory
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 CVE Updated
- Mar 25, 2026 EPSS Score
References
- https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj url
- https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33022 advisory
- https://github.com/tektoncd/pipeline/commit/01673237c464cfac7e286183f5c9e9d6ec951a64 url
- https://github.com/tektoncd/pipeline/commit/0fa2d66cff814838c3a10cce252104c7fe618932 url
- https://github.com/tektoncd/pipeline/commit/5e4905fb6754efa5ecea54de195738d73fb0e01d url
- https://github.com/tektoncd/pipeline/commit/ebc197e2b9733deedaa1624212ec66dcdf61eaaf url
- https://github.com/tektoncd/pipeline/commit/edc64bbf22323fcf218170f19047c9bcd8163e90 url
- https://github.com/tektoncd/pipeline package