Vulnerability Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Tekton Pipelines | >= 0.43.0, < 1.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/tektoncd/pipeline/commit/b8905600322aa86327baae0a7c04d6cf1207Patch
- https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcrExploitVendor Advisory
FAQ
What is CVE-2026-25542?
CVE-2026-25542 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI)...
How severe is CVE-2026-25542?
CVE-2026-25542 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25542?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Tekton Pipelines.