Threat Advisory

Woodpecker Privilege Escalation via Unrestricted ServiceAccountName

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-61549 with a CVSS score of 8.2 is a privilege escalation vulnerability affecting Woodpecker versions `v1 affecting github. versions >= 1.0.0, <= 1.0.4 affecting go.woodpecker-ci. versions <= 2.8.3 affecting Woodpecker instances using the Kubernetes backend, specifically in versions prior to v3.16.0 and v1.0.5, where an unrestricted serviceAccountName in the pipeline option backend_options.kubernetes.serviceAccountName allows any user with Push permission on a connected repository to run pipeline pods under an arbitrary ServiceAccount in the pipeline namespace, gaining that account's RBAC permissions, which can lead to secret exfiltration and full cluster takeover.

RECOMMENDATION:

We recommend you to update Woodpecker to version 3.16.0.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-61549 with a CVSS score of 8.2 is a privilege escalation vulnerability affecting Woodpecker versions `v1 affecting github. versions >= 1.0.0, <= 1.0.4 affecting go.woodpecker-ci. versions <= 2.8.3 affecting Woodpecker instances using the Kubernetes backend, specifically in versions prior to v3.16.0 and v1.0.5, where an unrestricted serviceAccountName in the pipeline option backend_options.kubernetes.serviceAccountName allows any user with Push permission on a connected repository to run pipeline pods under an arbitrary ServiceAccount in the pipeline namespace, gaining that account's RBAC permissions, which can lead to secret exfiltration and full cluster takeover.

RECOMMENDATION:

We recommend you to update Woodpecker to version 3.16.0.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu