CVE-2026-33211 is the highest-scored discrete CVE in this rollup (CVSS 9.6, critical) and represents an immediately exploitable credential-theft path in Tekton Pipelines. Any tenant with standard TaskRun or PipelineRun creation permissions can traverse the git resolver’s filesystem to exfiltrate Kubernetes ServiceAccount tokens, with extracted content returned in a base64-encoded API field requiring no special tooling. Patched versions (1.0.1, 1.3.3, 1.6.1, 1.9.2, 1.10.2) are available; organizations should upgrade immediately and rotate ServiceAccount tokens mounted in the resolver pod during the exposure window.