CVE-2026-58369

Source
https://cve.org/CVERecord?id=CVE-2026-58369
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58369.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58369
Published
2026-06-30T15:56:45.044Z
Modified
2026-07-16T03:30:59.612048185Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Woodpecker < 3.15.0 - Unauthenticated NULL Pointer Dereference in /api/orgs/lookup Enables Log-Flooding Denial of Service
Details

Woodpecker before 3.15.0 registers the /api/orgs/lookup/*orgfullname endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58369.json",
    "cwe_ids": [
        "CWE-476"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/woodpecker-ci/woodpecker

Affected ranges

Type
GIT
Repo
https://github.com/woodpecker-ci/woodpecker
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.15.0"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.13.0-rc.1
v0.13.0-rc.2
v0.13.0-rc.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.2
v0.15.0
v0.15.0-rc1
v0.15.0-rc2
v0.8.100
v0.8.101
v0.8.102
v0.8.103
v0.8.104
v0.8.105
v0.8.106
v0.8.91
v0.8.92
v0.8.93
v0.8.94
v0.8.95
v0.8.96
v0.8.97
v0.8.98
v0.8.99
v0.9.0
v0.9.1
v0.9.2
v2.*
v2.0.0
v2.0.0-rc.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.7.0
v3.*
v3.0.0
v3.0.0-rc.0
v3.0.1
v3.1.0
v3.10.0
v3.11.0
v3.11.0-rc.0
v3.12.0
v3.13.0
v3.14.0
v3.14.0-rc.0
v3.14.0-rc.1
v3.14.0-rc.2
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.7.0
v3.8.0
v3.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58369.json"