CVE-2026-33211 (CVSS 9.6) is a path traversal vulnerability in the Tekton Pipelines git resolver allowing any authenticated tenant with pipeline creation rights to read arbitrary files from the resolver pod — including Kubernetes ServiceAccount tokens — returned base64-encoded in resolutionrequest status fields. In multi-tenant CI/CD environments this creates a direct privilege escalation path from authenticated pipeline creator to cluster-level access. Immediate actions: patch to the appropriate fixed release (1.0.1, 1.3.3, 1.6.1, 1.9.2, or 1.10.2 depending on branch), review RBAC to restrict pipeline creation permissions, and redeploy resolver pods to force token refresh.