Vulnerability DatabaseCVE-2026-25542
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-25542
Published:April 21, 2026
Updated:May 25, 2026
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.
Affected Packages
https://github.com/tektoncd/pipeline.git (GITHUB):
Affected version(s) >=v0.43.0 <v1.11.0
Fix Suggestion:
Update to version v1.11.0
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v1.2.0 <v1.3.4
Fix Suggestion:
Update to version v1.3.4
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v1.7.0 <v1.9.3
Fix Suggestion:
Update to version v1.9.3
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v1.10.0 <v1.11.1
Fix Suggestion:
Update to version v1.11.1
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v0.43.0 <v1.0.2
Fix Suggestion:
Update to version v1.0.2
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v0.43.0 <v1.11.0
Fix Suggestion:
Update to version v1.11.0
github.com/tektoncd/pipeline (GO):
Affected version(s) >=v1.4.0 <v1.6.2
Fix Suggestion:
Update to version v1.6.2
Related Resources (6)
https://github.com/tektoncd/pipeline/releases/tag/v1.11.0
https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr
https://github.com/tektoncd/pipeline
https://nvd.nist.gov/vuln/detail/CVE-2026-25542
https://github.com/tektoncd/pipeline/commit/2c398711e6e9e232180508f0648425a8ea34dc9e
https://github.com/tektoncd/pipeline/commit/b8905600322aa86327baae0a7c04d6cf1207362a
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Incorrect Regular Expression
CWE-185
EPSS
Base Score:
0.04