GHSA-g7mm-9vx7-jm7h
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation
상세
### Impact A vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value.
### Patches Direct patch: https://github.com/woodpecker-ci/woodpecker/pull/6567 Later proper fix: https://github.com/woodpecker-ci/woodpecker/pull/6569
### Workarounds Disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones
### Resources Public ref: https://github.com/woodpecker-ci/woodpecker/issues/6541 Private com: https://github.com/woodpecker-ci/woodpecker-security/issues/21
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
3.0.0 수정 버전: 3.14.1 go get go.woodpecker-ci.org/woodpecker/v3@v3.14.1 참고
- https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-50141 [ADVISORY]
- https://github.com/woodpecker-ci/woodpecker-security/issues/21 [WEB]
- https://github.com/woodpecker-ci/woodpecker/issues/6541 [WEB]
- https://github.com/woodpecker-ci/woodpecker/pull/6567 [WEB]
- https://github.com/woodpecker-ci/woodpecker/pull/6569 [WEB]
- https://github.com/woodpecker-ci/woodpecker [PACKAGE]