Unauthenticated Endpoint Vulnerability in Woodpecker by Adjusted Solutions
CVE-2026-58369

6.9MEDIUM

Key Information:

Vendor

Woodpecker-ci

Status
Woodpecker
Vendor
CVE Published:
30 June 2026

What is CVE-2026-58369?

The Woodpecker CI software before version 3.15.0 is vulnerable to a notable security issue where the /api/orgs/lookup/*org_full_name endpoint lacks adequate authentication controls. An unauthenticated attacker can exploit this vulnerability by sending requests to the endpoint, triggering a NULL pointer dereference in the LookupOrg handler due to the absence of a session user context. While the server continues to operate and returns an HTTP 500 status, this misuse results in excessive log outputs, inflating disk usage and complicating log management by obscuring legitimate entries. This poses a risk of denial of service through log flooding, making it essential for users to upgrade to the latest version to mitigate this issue.

Affected Version(s)

woodpecker 0 < 3.15.0

References

https://github.com/woodpecker-ci/woodpecker/releases/tag/...
release-notes
https://github.com/woodpecker-ci/woodpecker/pull/6652
issue-tracking
https://github.com/woodpecker-ci/woodpecker/commit/1fbaca...
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.