Approval Bypass in Woodpecker CI Affects GitLab Integration
CVE-2026-58370

9.2CRITICAL

Key Information:

Vendor

Woodpecker-ci

Status
Woodpecker
Vendor
CVE Published:
30 June 2026

What is CVE-2026-58370?

Woodpecker CI versions prior to 3.15.0 exhibit a vulnerability that allows for an Approval Bypass specifically in GitLab integrations. The pipeline.Author field, which derives its value from the git commit author name present in the webhook payload, can be manipulated by an attacker. Because this author name is not verified by GitLab, an individual with access to create a merge request from a fork can spoof the commit author name to mimic entries in the ApprovalAllowedUsers list. As a result, the needsApproval check returns false, permitting the unauthorized execution of pipeline steps without requisite approvals. This breach of the fork-approval security boundary creates avenues for executing arbitrary code within a Woodpecker agent, potentially leading to the exfiltration of sensitive CI secrets. Other forge drivers like Gitea, Forgejo, GitHub, and Bitbucket are not impacted as they validate the sender/actor identity.

Affected Version(s)

woodpecker 0 < 3.15.0

References

https://github.com/woodpecker-ci/woodpecker/releases/tag/...
release-notes
https://github.com/woodpecker-ci/woodpecker/pull/6653
issue-tracking
https://github.com/woodpecker-ci/woodpecker/commit/98faae...
patch

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.