PT-2026-60111 · Unknown · Woodpecker Ci
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-61549
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Woodpecker CI versions v1.0.0 through v3.15.0
Description
A privilege escalation issue exists in instances using the Kubernetes backend. The pipeline option
backend options.kubernetes.serviceAccountName is passed directly to the pod spec without administrative gating. Users with Push permissions on a connected repository can execute pipeline pods using an arbitrary ServiceAccount within the pipeline namespace, thereby acquiring that account's RBAC (Role-Based Access Control) permissions. If a privileged ServiceAccount is available in that namespace, this could result in the exfiltration of secrets, such as database credentials, API keys, and TLS certificates, potentially leading to a full cluster takeover.Recommendations
Update to a version later than v3.15.0.
Restrict Push access on repositories connected to the Kubernetes-backed instance to trusted users only.
Harden the pipeline namespace by ensuring no privileged ServiceAccount exists or is bound in the namespace where pipeline pods run, and keep the
default ServiceAccount minimally privileged.
Disable ServiceAccount token automounting for ServiceAccounts that should not be used by pipelines.
Enforce an admission policy that rejects pipeline pods setting an unexpected serviceAccountName.
Use a dedicated, isolated namespace per organization or instance with no sensitive RBAC bindings.Fix
Missing Authorization
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Woodpecker Ci