What happened
CVE-2026-58370, published 2026-06-30 (CVSS v3 8.1 / CVSS v4 9.2 Critical per VulnCheck), exposes a fork-approval security boundary defeat in Woodpecker CI when used with GitLab. The GitLab webhook payload's commit.author.name field is user-controlled and unverified, yet Woodpecker uses it as the identity for approval checks. Patched in v3.15.0.
Why it matters
CI/CD pipelines are critical AI infrastructure — they build, test, and deploy ML models and AI services. Bypassing fork-approval gates allows an external attacker to inject malicious steps into production AI pipelines, exfiltrate model training secrets (API keys, weights storage credentials, dataset access tokens), and potentially backdoor model artifacts. CVSS v4 9.2 Critical.
Attack vector
Woodpecker matches the ApprovalAllowedUsers bypass list against pipeline.Author, which for GitLab is sourced from the attacker-controlled git commit author name in the webhook payload (not the forge-verified sender identity). An attacker sets their commit author name to match an allowlisted username, making needsApproval return false so the pipeline executes without approval, running attacker-controlled steps on a Woodpecker agent with access to all CI secrets.
Affected systems
Woodpecker CI before 3.15.0 (GitLab forge driver only; Gitea, Forgejo, GitHub, Bitbucket not affected)
Mitigation
Upgrade to Woodpecker CI 3.15.0. Fix commit: https://github.com/woodpecker-ci/woodpecker/commit/98faae778c953678944996c89ed99307d2f16a3d