Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no auth or complexity barriers; availability impact is low because gin recovery prevents service crash; no confidentiality or integrity impact; no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.
AnalysisAI
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The /api/orgs/lookup/*org_full_name API endpoint must be network-reachable - Woodpecker CI instances exposed to the internet or accessible from untrusted internal networks are at risk. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 with VA:L (low availability impact to the vulnerable system) accurately reflects the constrained blast radius: the server remains operational due to gin's recovery middleware, so impact is limited to log flooding, disk exhaustion, elevated log-ingestion costs, and analyst alert fatigue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a high-frequency stream of HTTP GET requests to /api/orgs/lookup/<arbitrary_string> on an internet-facing Woodpecker CI server. No exploit code or special tooling is required - a curl loop or any HTTP benchmarking tool suffices. … |
| Remediation | Upgrade Woodpecker CI to version 3.15.0 or later; this is the vendor-released patch confirmed by release tag v3.15.0, pull request #6652, and commit 1fbacac3a43b75b6e5a0a40a4f720a0017c62010 (https://github.com/woodpecker-ci/woodpecker/commit/1fbacac3a43b75b6e5a0a40a4f720a0017c62010), with the full VulnCheck advisory at https://www.vulncheck.com/advisories/woodpecker-unauthenticated-null-pointer-dereference-in-api-orgs-lookup-enables-log-flooding-denial-of-service. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Woodpecker
View allSame weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40357
GHSA-xq6m-xxrf-h53q