{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33022", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.667Z", "datePublished": "2026-03-20T07:48:15.383Z", "dateUpdated": "2026-03-20T07:48:15.383Z"}, "containers": {"cna": {"title": "Tekton Pipelines: Controller can panic when setting long resolver names in TaskRun/PipelineRun", "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "lang": "en", "description": "CWE-129: Improper Validation of Array Index", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj"}, {"name": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6", "tags": ["x_refsource_MISC"], "url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6"}], "affected": [{"vendor": "tektoncd", "product": "pipeline", "versions": [{"version": ">= 0.60.0, < 1.0.1", "status": "affected"}, {"version": ">= 1.1.0, < 1.3.3", "status": "affected"}, {"version": ">= 1.4.0, < 1.6.1", "status": "affected"}, {"version": ">= 1.7.0, < 1.9.2", "status": "affected"}, {"version": ">= 1.10.0, < 1.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T07:48:15.383Z"}, "descriptions": [{"lang": "en", "value": "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2."}], "source": {"advisory": "GHSA-cv4x-93xx-wgfj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2."}], "id": "CVE-2026-33022", "lastModified": "2026-03-20T08:16:11.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-20T08:16:11.293", "references": [{"source": "[email protected]", "url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6"}, {"source": "[email protected]", "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T09:27:17.070552+00:00", "value": {"mitigation_remediation": ["Upgrade tektoncd/pipeline to a patched version (1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2)."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected versions include tektoncd:pipeline from 0.60.0 to 1.0.0, 1.1.0 to 1.3.2, 1.4.0 to 1.6.0, 1.7.0 to 1.9.0, and the standalone 1.10.0 and 1.10.1 releases. Any user with permission to create TaskRun or PipelineRun resources can trigger the issue, regardless of the cluster configuration, unless the resolver name is one of the built\u2011in short names (git, cluster, bundles, hub).", "description_and_impact": "Tekton Pipelines vulnerability causes the controller to panic and crash when a TaskRun or PipelineRun specifies a custom resolver name longer than 30 characters. The generated deterministic name exceeds the Kubernetes DNS-1123 label limit and the truncation logic panics, resulting in a CrashLoopBackOff that blocks all CI/CD reconciliation until the offending resource is removed. This denial\u2011of\u2011service effect can disrupt pipeline execution for all users on the cluster.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. Attackers only need permissions to create TaskRun or PipelineRun resources; no additional network access is required. Upon successful exploitation, the controller crashes and enters a CrashLoopBackOff, causing a denial of service until the offending resource is manually deleted."}}}}, "created": "2026-03-20T10:36:51.251801+00:00", "updated": "2026-03-20T10:36:51.251829+00:00", "vendors": []}