CVE-2026-58369: NULL Pointer Dereference in woodpecker-ci woodpecker
Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.
AI Analysis
Technical Summary
In woodpecker versions before 3.15.0, the /api/orgs/lookup/*org_full_name endpoint is registered without authentication middleware. The LookupOrg handler unconditionally dereferences session user data (user.ForgeID via ForgeFromUser). For unauthenticated requests, session.User is nil, leading to a NULL pointer dereference and a panic. The gin recovery middleware catches the panic, returning HTTP 500 errors and writing extensive panic stack traces to error logs. This allows a low-bandwidth unauthenticated attacker to repeatedly trigger the panic, flooding logs and inflating disk usage and log ingestion costs.
Potential Impact
The vulnerability does not allow data confidentiality or integrity breaches but causes a denial of service in the form of log flooding. This log flooding can inflate disk usage and increase costs related to log ingestion and storage. It also risks burying legitimate log events, potentially hindering incident detection and response.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the /api/orgs/lookup/*org_full_name endpoint or implement external authentication and rate limiting to prevent unauthenticated abuse and log flooding.
CVE-2026-58369: NULL Pointer Dereference in woodpecker-ci woodpecker
Description
Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In woodpecker versions before 3.15.0, the /api/orgs/lookup/*org_full_name endpoint is registered without authentication middleware. The LookupOrg handler unconditionally dereferences session user data (user.ForgeID via ForgeFromUser). For unauthenticated requests, session.User is nil, leading to a NULL pointer dereference and a panic. The gin recovery middleware catches the panic, returning HTTP 500 errors and writing extensive panic stack traces to error logs. This allows a low-bandwidth unauthenticated attacker to repeatedly trigger the panic, flooding logs and inflating disk usage and log ingestion costs.
Potential Impact
The vulnerability does not allow data confidentiality or integrity breaches but causes a denial of service in the form of log flooding. This log flooding can inflate disk usage and increase costs related to log ingestion and storage. It also risks burying legitimate log events, potentially hindering incident detection and response.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the /api/orgs/lookup/*org_full_name endpoint or implement external authentication and rate limiting to prevent unauthenticated abuse and log flooding.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-30T12:13:02.506Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f43127e9c79719185f97
Added to database: 06/30/2026, 16:52:01 UTC
Last enriched: 06/30/2026, 17:07:19 UTC
Last updated: 06/30/2026, 18:06:47 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.