CVE-2026-61549: Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
A privilege escalation vulnerability affects Woodpecker instances using the Kubernetes backend.
The pipeline option backend_options.kubernetes.serviceAccountName was passed directly to the pod spec without any admin gating.
Who is impacted: any operator running the Kubernetes backend. Any user with Push permission on a connected repository can run pipeline pods under an arbitrary ServiceAccount in the pipeline namespace, gaining that account’s RBAC permissions. If a privileged ServiceAccount is reachable in that namespace, this can lead to secret exfiltration (database credentials, API keys, TLS certs) and full cluster takeover.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-61549 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →