{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "1.0.2"
              },
              {
                "introduced": "1.2.0"
              },
              {
                "fixed": "1.3.4"
              },
              {
                "introduced": "1.4.0"
              },
              {
                "fixed": "1.6.2"
              },
              {
                "introduced": "1.7.0"
              },
              {
                "fixed": "1.9.3"
              },
              {
                "introduced": "1.10.0"
              },
              {
                "fixed": "1.11.1"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "d9974e2cce817a43c69789161f0824e05a7572af"
            },
            {
              "fixed": "0be1b6922f4e0f327cefd9832c974cb52b81971b"
            },
            {
              "introduced": "18736c39fd59f37b9f82b8ff17f38e3fd10a3acd"
            },
            {
              "fixed": "3826751c7f0433e5dda8f94ffb9aba2b82688289"
            },
            {
              "introduced": "eaf7dc1dca3e314c26d14caff8207026a2dfade7"
            },
            {
              "fixed": "99f573243e494b38c11dffde658867207f3992fe"
            },
            {
              "introduced": "478d30f0a799663216cd225cf826e0b1efdadee3"
            },
            {
              "fixed": "4b778d175176f80561df787f0b390a34b6904961"
            },
            {
              "introduced": "9db88e0a3f072ade16ad0d88f1fd6a391281cf39"
            },
            {
              "fixed": "5a882817386c72d545a7448b0793a758c0eba6b1"
            }
          ],
          "repo": "https://github.com/tektoncd/pipeline",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-wjxp-xrpv-xpff"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-201"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40161.json"
  },
  "details": "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing serverURL to an attacker-controlled endpoint. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.",
  "id": "CVE-2026-40161",
  "modified": "2026-07-08T05:37:17.763300674Z",
  "published": "2026-04-21T16:26:27.381Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40161.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-wjxp-xrpv-xpff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40161"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/tektoncd/pipeline/issues/9608"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/tektoncd/pipeline/issues/9609"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL"
}