PT-2026-60111 · Unknown · Woodpecker Ci

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-61549

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Woodpecker CI versions v1.0.0 through v3.15.0
Description A privilege escalation issue exists in instances using the Kubernetes backend. The pipeline option backend options.kubernetes.serviceAccountName is passed directly to the pod spec without administrative gating. Users with Push permissions on a connected repository can execute pipeline pods using an arbitrary ServiceAccount within the pipeline namespace, thereby acquiring that account's RBAC (Role-Based Access Control) permissions. If a privileged ServiceAccount is available in that namespace, this could result in the exfiltration of secrets, such as database credentials, API keys, and TLS certificates, potentially leading to a full cluster takeover.
Recommendations Update to a version later than v3.15.0. Restrict Push access on repositories connected to the Kubernetes-backed instance to trusted users only. Harden the pipeline namespace by ensuring no privileged ServiceAccount exists or is bound in the namespace where pipeline pods run, and keep the default ServiceAccount minimally privileged. Disable ServiceAccount token automounting for ServiceAccounts that should not be used by pipelines. Enforce an admission policy that rejects pipeline pods setting an unexpected serviceAccountName. Use a dedicated, isolated namespace per organization or instance with no sensitive RBAC bindings.

Fix

Missing Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61549
GHSA-QF34-295C-26V8

Affected Products

Woodpecker Ci