CVE-2026-61549 with a CVSS score of 8.2 is a privilege escalation vulnerability affecting Woodpecker versions `v1 affecting github. versions >= 1.0.0, <= 1.0.4 affecting go.woodpecker-ci. versions <= 2.8.3 affecting Woodpecker instances using the Kubernetes backend, specifically in versions prior to v3.16.0 and v1.0.5, where an unrestricted serviceAccountName in the pipeline option backend_options.kubernetes.serviceAccountName allows any user with Push permission on a connected repository to run pipeline pods under an arbitrary ServiceAccount in the pipeline namespace, gaining that account's RBAC permissions, which can lead to secret exfiltration and full cluster takeover.
We recommend you to update Woodpecker to version 3.16.0.[/subscribe_to_unlock_form]
CVE-2026-61549 with a CVSS score of 8.2 is a privilege escalation vulnerability affecting Woodpecker versions `v1 affecting github. versions >= 1.0.0, <= 1.0.4 affecting go.woodpecker-ci. versions <= 2.8.3 affecting Woodpecker instances using the Kubernetes backend, specifically in versions prior to v3.16.0 and v1.0.5, where an unrestricted serviceAccountName in the pipeline option backend_options.kubernetes.serviceAccountName allows any user with Push permission on a connected repository to run pipeline pods under an arbitrary ServiceAccount in the pipeline namespace, gaining that account's RBAC permissions, which can lead to secret exfiltration and full cluster takeover.
We recommend you to update Woodpecker to version 3.16.0.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]