Description
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
Published: 2026-06-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Woodpecker CI’s gRPC layer accepts a client‑supplied `agent_id` in the metadata even after it has validated the JWT. Consequently, any authenticated agent can forge the `agent_id` header and masquerade as another agent on the same server. This allows an attacker to execute jobs, push artifacts or otherwise act with the privileges of the impersonated agent, potentially accessing data, modifying pipelines, or impacting other tenants. The flaw is an authentication bypass (CWE‑290) combined with improper authorization enforcement (CWE‑639).

Affected Systems

Versions of Woodpecker CI from 3.0.0 up to, but not including, 3.14.1 are affected. The fix was introduced in 3.14.1. Woodpecker CI is an open‑source continuous integration and deployment platform.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated agent, so the attack vector is essentially authenticated internal traffic. An attacker with valid credentials, or a compromised agent token, can exploit the flaw by crafting a gRPC request with a forged `agent_id` in the metadata and force the server to treat the request as coming from a different agent. No additional software or escalated privileges are needed beyond the authenticated agent context.

Generated by OpenCVE AI on June 18, 2026 at 19:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Woodpecker CI to version 3.14.1 or later, which removes the ability to override the server‑verified agent identity.
  • If an upgrade is not immediately possible, disable organization agent registration by setting `WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true` and delete any existing agents to prevent spoofing.
  • Ensure that only trusted hosts can reach the gRPC service and that agent tokens are rotated regularly; consider isolating agents in separate subnets or using network policies to limit traffic to the gRPC endpoint.

Generated by OpenCVE AI on June 18, 2026 at 19:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Woodpecker-ci
Woodpecker-ci woodpecker
Vendors & Products Woodpecker-ci
Woodpecker-ci woodpecker

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
Title Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
Weaknesses CWE-290
CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Woodpecker-ci Woodpecker
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T16:10:41.914Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50141

cve-icon Vulnrichment

Updated: 2026-06-18T15:21:44.965Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing

  • CWE-639

    Authorization Bypass Through User-Controlled Key