Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agent_id value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true) and delete existing ones.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50141.json",
"cwe_ids": [
"CWE-290",
"CWE-639"
],
"cna_assigner": "GitHub_M"
}