{"id":"CVE-2026-50141","summary":"Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation","details":"Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.","aliases":["GHSA-g7mm-9vx7-jm7h"],"modified":"2026-07-08T08:13:40.767576484Z","published":"2026-06-18T14:13:38.065Z","database_specific":{"cwe_ids":["CWE-290","CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50141.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50141.json"},{"type":"ADVISORY","url":"https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50141"},{"type":"REPORT","url":"https://github.com/woodpecker-ci/woodpecker-security/issues/21"},{"type":"REPORT","url":"https://github.com/woodpecker-ci/woodpecker/issues/6541"},{"type":"FIX","url":"https://github.com/woodpecker-ci/woodpecker/pull/6567"},{"type":"FIX","url":"https://github.com/woodpecker-ci/woodpecker/pull/6569"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/woodpecker-ci/woodpecker","events":[{"introduced":"195887a9ee6aebdb8b720453c34fbba5d9bc0482"},{"fixed":"48e1ece20057e59de4e8e3fe25fc1f3a41e8a020"}],"database_specific":{"extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.14.1"}],"source":"AFFECTED_FIELD"}}],"versions":["v3.14.0","v3.14.0-rc.2","v3.14.0-rc.1","v3.14.0-rc.0","v3.13.0","v3.12.0","v3.11.0","v3.11.0-rc.0","v3.10.0","v3.9.0","v3.8.0","v3.7.0","v3.6.0","v3.5.2","v3.5.1","v3.5.0","v3.4.0","v3.3.0","v3.2.0","v3.1.0","v3.0.1","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50141.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}