CVE-2026-50141: CWE-290: Authentication Bypass by Spoofing in woodpecker-ci woodpecker
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
AI Analysis
Technical Summary
CVE-2026-50141 describes an authentication bypass vulnerability in Woodpecker CI's gRPC communication layer affecting versions >=3.0.0 <3.14.1. The vulnerability arises because the server, after verifying the JWT token, discards the verified agent identity and instead uses the client-supplied agent_id from outgoing gRPC metadata. This allows any authenticated agent to impersonate any other agent on the same server by forging the agent_id value. The issue is fixed in version 3.14.1. A temporary mitigation is to disable organization agents by setting WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true and deleting existing org agents.
Potential Impact
An attacker with authenticated agent access can impersonate other agents on the same Woodpecker CI server, potentially gaining unauthorized access or privileges associated with those agents. This could lead to unauthorized actions within the CI/CD environment. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Woodpecker CI to version 3.14.1 or later to apply the official fix. As a temporary workaround, disable organization agents by setting the environment variable WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true and delete any existing organization agents. This reduces the risk until the patch can be applied.
CVE-2026-50141: CWE-290: Authentication Bypass by Spoofing in woodpecker-ci woodpecker
Description
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
CVSS v4.0
Score 7.1high
Affected software
pkg:github/woodpecker-ci/woodpeckerRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-50141 describes an authentication bypass vulnerability in Woodpecker CI's gRPC communication layer affecting versions >=3.0.0 <3.14.1. The vulnerability arises because the server, after verifying the JWT token, discards the verified agent identity and instead uses the client-supplied agent_id from outgoing gRPC metadata. This allows any authenticated agent to impersonate any other agent on the same server by forging the agent_id value. The issue is fixed in version 3.14.1. A temporary mitigation is to disable organization agents by setting WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true and deleting existing org agents.
Potential Impact
An attacker with authenticated agent access can impersonate other agents on the same Woodpecker CI server, potentially gaining unauthorized access or privileges associated with those agents. This could lead to unauthorized actions within the CI/CD environment. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Woodpecker CI to version 3.14.1 or later to apply the official fix. As a temporary workaround, disable organization agents by setting the environment variable WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true and delete any existing organization agents. This reduces the risk until the patch can be applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-03T18:49:32.275Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33ff00f198dc38c1f0d3d4
Added to database: 6/18/2026, 2:21:52 PM
Last enriched: 6/18/2026, 2:35:06 PM
Last updated: 6/18/2026, 5:57:42 PM
Views: 116
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.