{"id":"CVE-2026-25542","summary":"Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching","details":"Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.","aliases":["GHSA-rmx9-2pp3-xhcr","GO-2026-5630"],"modified":"2026-07-08T08:12:26.038819405Z","published":"2026-04-21T16:05:43.217Z","related":["CGA-hmrw-j52p-4jmv"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25542.json","cwe_ids":["CWE-185"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25542.json"},{"type":"ADVISORY","url":"https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25542"},{"type":"FIX","url":"https://github.com/tektoncd/pipeline/commit/b8905600322aa86327baae0a7c04d6cf1207362a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tektoncd/pipeline","events":[{"introduced":"45e6ed63348f9c00cc4374df4a07da1553dfa0cf"},{"fixed":"383d57b75e404e1f6f490ed62aba9d36a98a9ff6"},{"fixed":"b8905600322aa86327baae0a7c04d6cf1207362a"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*","extracted_events":[{"introduced":"0.43.0"},{"fixed":"1.11.0"}]}}],"versions":["v1.11.0","v1.10.0","v1.9.0","v1.6.0","v1.7.0","v1.5.0","v1.4.0","v1.3.0","v1.2.0","v1.0.0","v1.1.0","v0.70.0","v0.69.0","v0.68.0","v0.66.0","v0.65.0","v0.64.0","v0.63.0","v0.62.0","v0.61.0","v0.60.0","v0.59.0","v0.58.0","v0.57.0","v0.56.0","v0.55.0","v0.54.0","v0.53.0","v0.52.0","v0.51.0","v0.50.0","v0.49.0","v0.48.0","v0.47.0","v0.46.0","v0.45.0","v0.44.0","v0.43.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25542.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}