GHSA-g7mm-9vx7-jm7h
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
Details
### Impact A vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value.
### Patches Direct patch: https://github.com/woodpecker-ci/woodpecker/pull/6567 Later proper fix: https://github.com/woodpecker-ci/woodpecker/pull/6569
### Workarounds Disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones
### Resources Public ref: https://github.com/woodpecker-ci/woodpecker/issues/6541 Private com: https://github.com/woodpecker-ci/woodpecker-security/issues/21
Are you affected?
Enter the version of the package you're using.
Affected packages
3.0.0 Fixed in: 3.14.1 go get go.woodpecker-ci.org/woodpecker/v3@v3.14.1 References
- https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-50141 [ADVISORY]
- https://github.com/woodpecker-ci/woodpecker-security/issues/21 [WEB]
- https://github.com/woodpecker-ci/woodpecker/issues/6541 [WEB]
- https://github.com/woodpecker-ci/woodpecker/pull/6567 [WEB]
- https://github.com/woodpecker-ci/woodpecker/pull/6569 [WEB]
- https://github.com/woodpecker-ci/woodpecker [PACKAGE]