{"id":"CVE-2026-40923","summary":"Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check","details":"Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but resolves to /tekton/results at runtime. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.","aliases":["GHSA-rx35-6rhx-7858","GO-2026-5643"],"modified":"2026-07-15T01:49:01.024630271Z","published":"2026-04-21T20:50:53.742Z","related":["CGA-24jx-38xx-crv2"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40923.json"},"references":[{"type":"WEB","url":"https://github.com/tektoncd/pipeline/releases/tag/v1.11.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40923.json"},{"type":"ADVISORY","url":"https://github.com/tektoncd/pipeline/security/advisories/GHSA-rx35-6rhx-7858"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40923"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tektoncd/pipeline","events":[{"introduced":"d9974e2cce817a43c69789161f0824e05a7572af"},{"fixed":"0be1b6922f4e0f327cefd9832c974cb52b81971b"},{"introduced":"18736c39fd59f37b9f82b8ff17f38e3fd10a3acd"},{"fixed":"3826751c7f0433e5dda8f94ffb9aba2b82688289"},{"introduced":"eaf7dc1dca3e314c26d14caff8207026a2dfade7"},{"fixed":"99f573243e494b38c11dffde658867207f3992fe"},{"introduced":"478d30f0a799663216cd225cf826e0b1efdadee3"},{"fixed":"4b778d175176f80561df787f0b390a34b6904961"},{"introduced":"9db88e0a3f072ade16ad0d88f1fd6a391281cf39"},{"fixed":"5a882817386c72d545a7448b0793a758c0eba6b1"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.0.0"},{"fixed":"1.0.2"},{"introduced":"1.2.0"},{"fixed":"1.3.4"},{"introduced":"1.4.0"},{"fixed":"1.6.2"},{"introduced":"1.7.0"},{"fixed":"1.9.3"},{"introduced":"1.10.0"},{"fixed":"1.11.1"}]}}],"versions":["v1.11.0","v1.3.3","v1.6.1","v1.9.2","v1.0.1","v1.9.1","v1.10.0","v1.9.0","v1.6.0","v1.7.0","v1.5.0","v1.3.2","v1.4.0","v1.3.1","v1.3.0","v1.2.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40923.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}