Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. go.woodpecker-ci.org/woodpecker/v3
  4. ›
  5. CVE-2026-50141

CVE-2026-50141: Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

July 14, 2026

A vulnerability in Woodpecker CI’s gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agent_id value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value.

References

  • github.com/advisories/GHSA-g7mm-9vx7-jm7h
  • github.com/woodpecker-ci/woodpecker-security/issues/21
  • github.com/woodpecker-ci/woodpecker/issues/6541
  • github.com/woodpecker-ci/woodpecker/pull/6567
  • github.com/woodpecker-ci/woodpecker/pull/6569
  • github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h
  • nvd.nist.gov/vuln/detail/CVE-2026-50141

Code Behaviors & Features

Detect and mitigate CVE-2026-50141 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 3.0.0 before 3.14.1

Fixed versions

  • 3.14.1

Solution

Upgrade to version 3.14.1 or above.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-290: Authentication Bypass by Spoofing
  • CWE-639: Authorization Bypass Through User-Controlled Key

Source file

go/go.woodpecker-ci.org/woodpecker/v3/CVE-2026-50141.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 15 Jul 2026 12:18:05 +0000.