CVE & CISA-KEV Catalog

CVE-2026-25542

MEDIUM
6.5
CVSS v3
NVD

Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 0.43.0 to 1.11.0, trusted resources verification policies match a resource source string (refSource.URI) against spec.resources[].pattern using regexp.MatchString. In Go, regexp.MatchString reports a match if the pattern matches anywhere in the string, so common unanchored patterns (including examples in tekton documentation) can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This can cause an unintended policy match and change which verification mode/keys apply.

How to fix

Remediation Available
tekton pipelinesNVD
Affected:>= 0.43.0, < 1.11.0Fixed in:1.11.0CVE-2026-25542derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityHigh
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploit Intelligence

0.26%probability of exploitation in 30 days
18thpercentile

Low risk: more likely to be exploited than 18% of all known CVEs.

References

Exploit1
Embed a live status badge for CVE-2026-25542
CVE-2026-25542 severity badge

Markdown

[![CVE-2026-25542](https://tridentstack.com/cve/badge/CVE-2026-25542.svg)](https://tridentstack.com/cve/CVE-2026-25542)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-25542"><img src="https://tridentstack.com/cve/badge/CVE-2026-25542.svg" alt="CVE-2026-25542"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-05-01.