{
  "threat_severity" : "Important",
  "public_date" : "2026-04-21T20:45:24Z",
  "bugzilla" : {
    "description" : "github.com/tektoncd/pipeline: Tekton Pipelines: Arbitrary code execution and secret exfiltration via malicious git commands",
    "id" : "2460292",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460292"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-88",
  "details" : [ "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. Versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1 fix the issue.", "A flaw was found in Tekton Pipelines, a system for declaring continuous integration/continuous delivery (CI/CD) pipelines. An authenticated user, able to submit `ResolutionRequest` objects, can exploit a vulnerability by injecting malicious commands into the git resolver's revision parameter. This allows for the execution of unauthorized programs on the resolver pod. Successful exploitation can lead to the exfiltration of all cluster-wide secrets, resulting in significant information disclosure." ],
  "statement" : "This Important flaw in Tekton Pipelines allows an authenticated user to achieve arbitrary code execution on the resolver pod by injecting malicious commands into the git resolver's revision parameter. This vulnerability happens because the `revision` parameter is passed as a positional argument to the `git fetch` command without any previous validation whether the parameter's value doesn't start with `-` character. Combining this lack of validation with the fact the function which validates the repository URL explicitly allows a repository URL to being with `/`, translating to a local filesystem. An attacker with enough privileges to perform an operation which trigger resolvers to use the `ResolutionRequest` function can \nchain both behaviors to trick Tekton Pipelines to load and execute an arbitrary binary on the resolver pod.\nExploring this vulnerability may be considered of a high complexity as an attacker needs to either know an existing valid git repository located at a predicable path already in the resolver pod or a default URL configuration pointing to a local filesystem's path.\nA successful exploitation of the flaw can lead to the exfiltration of all cluster-wide secrets, posing a significant risk to the integrity and confidentiality of the OpenShift environment. Additionally, depending on the data included in the `kubeconfig` files, an attacker may achieve privilege escalation or perform lateral movements within the targeted cluster.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-controller-rhel9:1780373846"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-git-cloner-rhel9:1780374151"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-image-bundler-rhel9:1780373867"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-image-processing-rhel9:1780373835"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-rhel9-operator:1780480839"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-waiters-rhel9:1780374228"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.7.3",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24359",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.7::el9",
    "package" : "openshift-builds/openshift-builds-webhook-rhel9:1780374084"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-controller-rhel9:1778683229"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-git-cloner-rhel9:1778683134"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-image-bundler-rhel9:1778683436"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-image-processing-rhel9:1778682932"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-waiters-rhel9:1778682930"
  }, {
    "product_name" : "Red Hat OpenShift Builds 1.8.0",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17546",
    "cpe" : "cpe:/a:redhat:openshift_builds:1.8::el9",
    "package" : "openshift-builds/openshift-builds-webhook-rhel9:1778682920"
  }, {
    "product_name" : "Red Hat OpenShift Pipelines 1.21",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24484",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1.21::el9",
    "package" : "serve-tkn-cli-1-21-serve-tkn-cli-1.21.1"
  }, {
    "product_name" : "Red Hat OpenShift Pipelines 1.21",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26519",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1.21::el9",
    "package" : "openshift-pipelines/pipelines-rhel9-operator:1780645012"
  }, {
    "product_name" : "Red Hat OpenShift Pipelines 1.21",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26538",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1.21::el9",
    "package" : "openshift-pipelines/pipelines-operator-bundle:1781686494"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/openshift-mcp-server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-chains-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-chains-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-cli-tkn-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-cli-tkn-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-entrypoint-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-entrypoint-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-events-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-events-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-git-init-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-git-init-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-hub-api-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-hub-api-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-webhook-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-manual-approval-gate-webhook-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-nop-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-nop-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-opc-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-operator-proxy-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-operator-proxy-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-operator-webhook-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-operator-webhook-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-pruner-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-resolvers-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-resolvers-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-results-api-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-results-api-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-results-watcher-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-results-watcher-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-sidecarlogresults-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-sidecarlogresults-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-core-interceptors-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-core-interceptors-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-eventlistenersink-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-webhook-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-triggers-webhook-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-webhook-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-webhook-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Not affected",
    "package_name" : "openshift-pipelines/pipelines-workingdirinit-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines/pipelines-workingdirinit-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Not affected",
    "package_name" : "openshift-serverless-1/kn-client-kn-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Not affected",
    "package_name" : "openshift-serverless-1/kn-plugin-func-func-util-rhel9",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-ml-pipelines-api-server-v2-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-ml-pipelines-driver-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-ml-pipelines-launcher-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-ssp-operator-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "container-native-virtualization/kubevirt-template-validator-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/ec-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40938\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40938\nhttps://github.com/tektoncd/pipeline/releases/tag/v1.11.1\nhttps://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq" ],
  "name" : "CVE-2026-40938",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}