CVE-2026-40924 - Vulnerability Details

- Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.

Published: 2026-04-21

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tektoncd

pipeline

affected

Version	Status	Constraints
`< 1.11.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Tektoncd

Pipeline

100%

Version	Status	Scheme	Platform
`[0,1.11.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m2cx-gpqf-qf74	Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/tektoncd/pipeline/releases/tag/v1.11.1
https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74
https://nvd.nist.gov/vuln/detail/CVE-2026-40924
https://www.cve.org/CVERecord?id=CVE-2026-40924

History

Wed, 29 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40924 https://www.cve.org/CVERecord?id=CVE-2026-40924
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 27 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation tekton Pipelines
CPEs		cpe:2.3:a:linuxfoundation:tekton_pipelines::::::go::*
Vendors & Products		Linuxfoundation Linuxfoundation tekton Pipelines

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tektoncd Tektoncd pipeline
Vendors & Products		Tektoncd Tektoncd pipeline

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response body within the 1-minute timeout window, causing the tekton-pipelines-resolvers pod to be OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) run in the same pod, crashing this pod denies resolution service to the entire cluster. Repeated exploitation causes a sustained crash loop. The same vulnerable code path is reached by both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations. This vulnerability is fixed in 1.11.1.
Title		Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion
Weaknesses		CWE-400
References		https://github.com/tektoncd/pipeline/releases/tag/v1.11.1 https://github.com/tektoncd/pipeline/security/advisories/GHSA-m2cx-gpqf-qf74
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Linuxfoundation Tekton Pipelines

Tektoncd Pipeline

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T20:47:47.178Z

Updated: 2026-04-22T13:21:28.680Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40924

Vulnrichment

Updated: 2026-04-22T13:21:13.460Z

NVD

Status : Analyzed

Published: 2026-04-21T21:16:45.720

Modified: 2026-04-27T18:06:10.710

Link: CVE-2026-40924

Redhat

Severity : Moderate

Publid Date: 2026-04-21T20:47:47Z

Links: CVE-2026-40924 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object