Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-50141

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-18 Jun, 2026 | 14:13
Updated At-18 Jun, 2026 | 16:10
Rejected At-
Credits

Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:18 Jun, 2026 | 14:13
Updated At:18 Jun, 2026 | 16:10
Rejected At:
â–ĽCVE Numbering Authority (CNA)
Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.

Affected Products
Vendor
woodpecker-ci
Product
woodpecker
Versions
Affected
  • >= 3.0.0, < 3.14.1
Problem Types
TypeCWE IDDescription
CWECWE-290CWE-290: Authentication Bypass by Spoofing
CWECWE-639CWE-639: Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-290
Description: CWE-290: Authentication Bypass by Spoofing
Type: CWE
CWE ID: CWE-639
Description: CWE-639: Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h
x_refsource_CONFIRM
https://github.com/woodpecker-ci/woodpecker-security/issues/21
x_refsource_MISC
https://github.com/woodpecker-ci/woodpecker/issues/6541
x_refsource_MISC
https://github.com/woodpecker-ci/woodpecker/pull/6567
x_refsource_MISC
https://github.com/woodpecker-ci/woodpecker/pull/6569
x_refsource_MISC
Hyperlink: https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/woodpecker-ci/woodpecker-security/issues/21
Resource:
x_refsource_MISC
Hyperlink: https://github.com/woodpecker-ci/woodpecker/issues/6541
Resource:
x_refsource_MISC
Hyperlink: https://github.com/woodpecker-ci/woodpecker/pull/6567
Resource:
x_refsource_MISC
Hyperlink: https://github.com/woodpecker-ci/woodpecker/pull/6569
Resource:
x_refsource_MISC
â–ĽAuthorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:18 Jun, 2026 | 14:17
Updated At:18 Jun, 2026 | 17:16

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
N/A
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-290Secondarysecurity-advisories@github.com
CWE-639Secondarysecurity-advisories@github.com
CWE ID: CWE-290
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-639
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/woodpecker-ci/woodpecker-security/issues/21security-advisories@github.com
N/A
https://github.com/woodpecker-ci/woodpecker/issues/6541security-advisories@github.com
N/A
https://github.com/woodpecker-ci/woodpecker/pull/6567security-advisories@github.com
N/A
https://github.com/woodpecker-ci/woodpecker/pull/6569security-advisories@github.com
N/A
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7hsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/woodpecker-ci/woodpecker-security/issues/21
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/woodpecker-ci/woodpecker/issues/6541
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/woodpecker-ci/woodpecker/pull/6567
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/woodpecker-ci/woodpecker/pull/6569
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-g7mm-9vx7-jm7h
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found

CVE-2026-58370
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-9.2||CRITICAL
EPSS-0.55% / 41.74%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:57
Updated-02 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A user who can open a merge request from a fork can set the commit author name to match an entry in ApprovalAllowedUsers, causing needsApproval to return false so the pipeline runs without the required approval. This defeats the fork-approval security boundary and allows execution of attacker-controlled pipeline steps on a Woodpecker agent and exfiltration of CI secrets exposed to the run. Other built-in forge drivers (Gitea, Forgejo, GitHub, Bitbucket) derive pipeline.Author from the forge-validated sender/actor identity and are not affected.

Action-Not Available
Vendor-woodpecker-ci
Product-woodpecker
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2026-58447
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.22% / 13.12%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 21:05
Updated-02 Jul, 2026 | 18:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Action-Not Available
Vendor-iv-org
Product-Invidious
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-33703
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.17% / 7.13%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 18:23
Updated-16 Apr, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.

Action-Not Available
Vendor-chamilochamilo
Product-chamilo_lmschamilo-lms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-32976
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.19% / 9.30%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 11:17
Updated-23 Jun, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels.<provider>.accounts.<id> to modify configuration on target accounts with configWrites: false.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-28781
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.33% / 24.53%
||
7 Day CHG~0.00%
Published-04 Mar, 2026 | 16:31
Updated-05 Mar, 2026 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft Affected by Entries Authorship Spoofing via Mass Assignment

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

Action-Not Available
Vendor-craftcmscraftcms
Product-craft_cmscms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-25563
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.28% / 19.86%
||
7 Day CHG~0.00%
Published-07 Feb, 2026 | 21:57
Updated-11 May, 2026 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeKan < 8.19 Checklist Creation Cross-Board IDOR

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

Action-Not Available
Vendor-wekan_projectWeKan
Product-wekanWeKan
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found