CVE-2026-50141: Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
A vulnerability in Woodpecker CI’s gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agent_id value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value.
References
- github.com/advisories/GHSA-g7mm-9vx7-jm7h
- github.com/woodpecker-ci/woodpecker-security/issues/21
- github.com/woodpecker-ci/woodpecker/issues/6541
- github.com/woodpecker-ci/woodpecker/pull/6567
- github.com/woodpecker-ci/woodpecker/pull/6569
- github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h
- nvd.nist.gov/vuln/detail/CVE-2026-50141
Code Behaviors & Features
Detect and mitigate CVE-2026-50141 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →