Description
Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated HTTP request to /api/orgs/lookup/*org_full_name in Woodpecker versions prior to 3.15.0 forces the LookupOrg handler to dereference a nil session user, causing a null‑pointer exception. The panic is caught by gin's recovery middleware, the server returns a 500 response, and the full stack trace is written to the error log with each request. Repeating this behavior floods the log file with about 37 lines per request, quickly consuming disk space and inflating the cost of downstream log ingestion services. The result is a denial‑of‑service condition in which legitimate log entries are buried and infrastructure resources are exhausted.

Affected Systems

Woodpecker CI (woodpecker-ci:woodpecker) version 3.14 and earlier are vulnerable. The issue was discovered in a commit on October 13, 2023, and a fix was included in the 3.15.0 release. Systems running any version below 3.15.0 without appropriate access controls to the /api/orgs/lookup endpoint are affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the vulnerability is accessible without authentication, making exploitation trivial for any external actor with network visibility to the server. While the EPSS score is not recorded, the lack of authentication and the straightforward nature of the attack vector suggest a non‑negligible exploitation probability. The vulnerability is not currently listed in CISA's KEV catalog, but the potential for resource exhaustion and cost inflation warrants prompt remediation.

Generated by OpenCVE AI on June 30, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Woodpecker 3.15.0 or later, which adds authentication middleware to /api/orgs/lookup and removes the null‑pointer dereference.
  • If an upgrade cannot be performed immediately, block or restrict the /api/orgs/lookup endpoint to authenticated users via network ACLs, reverse proxy rules, or an admission controller that enforces authentication before the request reaches the application.
  • Implement log rotation and apply a hard limit on log file size to prevent the log flooding from exhausting disk space and to keep legitimate logs from being buried.

Generated by OpenCVE AI on June 30, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.
Title Woodpecker < 3.15.0 - Unauthenticated NULL Pointer Dereference in /api/orgs/lookup Enables Log-Flooding Denial of Service
First Time appeared Woodpecker-ci
Woodpecker-ci woodpecker
Weaknesses CWE-476
CPEs cpe:2.3:a:woodpecker-ci:woodpecker:*:*:*:*:*:*:*:*
Vendors & Products Woodpecker-ci
Woodpecker-ci woodpecker
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Woodpecker-ci Woodpecker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T17:53:12.541Z

Reserved: 2026-06-30T12:13:02.506Z

Link: CVE-2026-58369

cve-icon Vulnrichment

Updated: 2026-06-30T17:53:06.716Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses