Tekton, Regex Substring Matching Bypass, N/A (medium)

Listen to this Post

How the CVE works (around 20 lines):

The vulnerability exists in Tekton’s Trusted Resources verification system. When matching a resource source string (refSource.URI) against spec.resources[].pattern, the code uses Go’s regexp.MatchString. In Go, this function returns `true` if the pattern matches any substring of the input, not necessarily the entire string. Many documented examples (including Tekton’s own) show unanchored patterns like https://github.com/tektoncd/catalog.git`. An attacker can control `refSource.URI` (e.g., via a malicious pipeline definition) and craft a value such ashttps://evil.com/?x=https://github.com/tektoncd/catalog.git`. Because the trusted substring appears inside the attacker’s string, the unanchored regex matches successfully. This causes the policy to incorrectly treat the attacker’s resource as trusted, altering which verification mode or keys are applied. The flawed logic resides in `pkg/trustedresources/verify.go` lines 118–137 (getMatchedPolicies). Deployments that anchor patterns with `^…$` or where attackers cannot influence `refSource.URI` are not affected. The proof-of-concept test shows `

` and `[bash]` in canonical run, while negative control emits `[bash]` without <code>[bash]</code>. Fix requires full-string matching by wrapping patterns as `^(?:pattern)$` or changing regex semantics.

<h2 style="color: blue;">dailycve form:</h2>

Platform: Tekton
Version: Affected versions unknown
Vulnerability : Regex substring bypass
Severity: Medium
date: 2026-04-21

<h2 style="color: blue;">Prediction: 2026-05-15</h2>

<h2 style="color: blue;">Analytics</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Clone POC and run canonical test
unzip -q -o poc.zip -d /tmp/poc-tekton-regex-001
cd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001
bash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log
Run negative control
bash ./run.sh control | tee /tmp/tekton-regex-001-control.log
Verify vulnerability markers
grep -n '[PROOF_MARKER]' /tmp/tekton-regex-001-canonical.log \
&& grep -n '[NC_MARKER]' /tmp/tekton-regex-001-control.log \
&& ! grep -n '[PROOF_MARKER]' /tmp/tekton-regex-001-control.log

how Exploit:

Attacker sets `refSource.URI` to a string containing the trusted pattern as a substring, e.g., https://evil.com/?x=https://github.com/tektoncd/catalog.git`. The unanchored regex matches, causing policy to treat malicious source as trusted.
<h2 style="color: blue;">Protection from this CVE:</h2>
Anchor all `VerificationPolicy` resource patterns with `^` and
$. Example:pattern: “^https://github\\.com/tektoncd/catalog\\.git$”`. Alternatively, wrap patterns as `^(?:pattern)$` before matching.

Impact:

Policy bypass – attacker can cause unintended policy match, potentially applying wrong verification mode or keys, leading to execution of untrusted resources.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top