Vulnerability  ·  2026-07-02

Woodpecker CI — GitLab Forge Pipeline Approval Bypass via Spoofable Commit Author Name Enables CI Secret Exfiltration

VulnerabilityHigh impactGlobalCVE-2026-58370
CVE-2026-58370, published 2026-06-30 (CVSS v3 8.1 / CVSS v4 9.2 Critical per VulnCheck), exposes a fork-approval security boundary defeat in Woodpecker CI when used with GitLab. The GitLab webhook payload's commit.author.name field is user-controlled and unverified, yet Woodpecker uses it as the identity for approval checks. Patched in v3.15.0.
CI/CD pipelines are critical AI infrastructure — they build, test, and deploy ML models and AI services. Bypassing fork-approval gates allows an external attacker to inject malicious steps into production AI pipelines, exfiltrate model training secrets (API keys, weights storage credentials, dataset access tokens), and potentially backdoor model artifacts. CVSS v4 9.2 Critical.
Woodpecker matches the ApprovalAllowedUsers bypass list against pipeline.Author, which for GitLab is sourced from the attacker-controlled git commit author name in the webhook payload (not the forge-verified sender identity). An attacker sets their commit author name to match an allowlisted username, making needsApproval return false so the pipeline executes without approval, running attacker-controlled steps on a Woodpecker agent with access to all CI secrets.
Woodpecker CI before 3.15.0 (GitLab forge driver only; Gitea, Forgejo, GitHub, Bitbucket not affected)
Upgrade to Woodpecker CI 3.15.0. Fix commit: https://github.com/woodpecker-ci/woodpecker/commit/98faae778c953678944996c89ed99307d2f16a3d
Sources
NVD CVE-2026-58370VulnCheck Advisory — Woodpecker GitLab Approval Gate BypassGitHub Advisory GHSA-wpx4-jm4h-w8j6
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →