Listen to this Post
How the CVE works (around 20 lines):
The vulnerability exists in Tekton’s Trusted Resources verification system. When matching a resource source string (refSource.URI) against spec.resources[].pattern, the code uses Go’s regexp.MatchString. In Go, this function returns `true` if the pattern matches any substring of the input, not necessarily the entire string. Many documented examples (including Tekton’s own) show unanchored patterns like https://github.com/tektoncd/catalog.git`. An attacker can control `refSource.URI` (e.g., via a malicious pipeline definition) and craft a value such ashttps://evil.com/?x=https://github.com/tektoncd/catalog.git`. Because the trusted substring appears inside the attacker’s string, the unanchored regex matches successfully. This causes the policy to incorrectly treat the attacker’s resource as trusted, altering which verification mode or keys are applied. The flawed logic resides in `pkg/trustedresources/verify.go` lines 118–137 (getMatchedPolicies). Deployments that anchor patterns with `^…$` or where attackers cannot influence `refSource.URI` are not affected. The proof-of-concept test shows `
` and `[bash]` in canonical run, while negative control emits `[bash]` without <code>[bash]</code>. Fix requires full-string matching by wrapping patterns as `^(?:pattern)$` or changing regex semantics. <h2 style="color: blue;">dailycve form:</h2> Platform: Tekton Version: Affected versions unknown Vulnerability : Regex substring bypass Severity: Medium date: 2026-04-21 <h2 style="color: blue;">Prediction: 2026-05-15</h2> <h2 style="color: blue;">Analytics</h2> <h2 style="color: blue;">What Undercode Say:</h2> [bash] Clone POC and run canonical test unzip -q -o poc.zip -d /tmp/poc-tekton-regex-001 cd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001 bash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log Run negative control bash ./run.sh control | tee /tmp/tekton-regex-001-control.log Verify vulnerability markers grep -n '[PROOF_MARKER]' /tmp/tekton-regex-001-canonical.log \ && grep -n '[NC_MARKER]' /tmp/tekton-regex-001-control.log \ && ! grep -n '[PROOF_MARKER]' /tmp/tekton-regex-001-control.log
how Exploit:
Attacker sets `refSource.URI` to a string containing the trusted pattern as a substring, e.g., https://evil.com/?x=https://github.com/tektoncd/catalog.git`. The unanchored regex matches, causing policy to treat malicious source as trusted.$
<h2 style="color: blue;">Protection from this CVE:</h2>
Anchor all `VerificationPolicy` resource patterns with `^` and. Example:pattern: “^https://github\\.com/tektoncd/catalog\\.git$”`. Alternatively, wrap patterns as `^(?:pattern)$` before matching.
Impact:
Policy bypass – attacker can cause unintended policy match, potentially applying wrong verification mode or keys, leading to execution of untrusted resources.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

