CVE-2026-25542

MEDIUM 6.5

Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.

CWE	CWE-185
Vendor	tektoncd
Product	pipeline
Published	Apr 21, 2026
Last Updated	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for tektoncd pipeline

Be the first to know when new medium vulnerabilities affecting tektoncd pipeline are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

tektoncd / pipeline

>= 0.43.0, <= 1.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr github.com: https://github.com/tektoncd/pipeline/commit/b8905600322aa86327baae0a7c04d6cf1207362a