Tekton Pipelines Git Resolver Exposes Critical Path Traversal Vulnerability (CVE-2026-33211)

A critical security flaw in Tekton Pipelines' git resolver allows authenticated users to read any file from the underlying pod's filesystem, including sensitive ServiceAccount tokens. The vulnerability, tracked as CVE-2026-33211, stems from improper path validation in the `getFileContent()` function, enabling path traversal attacks via a user-controlled parameter.

The vulnerability resides in the `github.com/tektoncd/pipeline` module. Specifically, the git resolver's `getFileContent()` function in `pkg/resolution/resolver/git/repository.go` constructs a file path by directly concatenating the repository's clone directory with the user-supplied `pathInRepo` parameter without sufficient sanitization. Any tenant with permissions to create `ResolutionRequests`—typically by creating `TaskRuns` or `PipelineRuns` that utilize the git resolver—can exploit this to traverse outside the intended repository directory.

Successful exploitation results in the arbitrary file's contents being base64-encoded and returned within the `resolutionrequest.status.data` field. This grants attackers access to the resolver pod's entire filesystem, posing a severe risk of credential theft and lateral movement within Kubernetes clusters. The update to version v1.6.1 patches this vulnerability, making immediate remediation a critical priority for all deployments using the affected git resolver functionality.