Skip to main content

Woodpecker CI EUVDEUVD-2026-40357

| CVE-2026-58369 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-30 VulnCheck GHSA-xq6m-xxrf-h53q
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth or complexity barriers; availability impact is low because gin recovery prevents service crash; no confidentiality or integrity impact; no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 17:23 vuln.today
CVSS changed
Jun 30, 2026 - 17:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

Woodpecker before 3.15.0 registers the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the LookupOrg handler unconditionally dereferences the session user (user.ForgeID, via ForgeFromUser) when selecting the forge to query. For an unauthenticated request session.User returns nil, so any unauthenticated HTTP request triggers a NULL pointer dereference in the handler. The panic is recovered by gin recovery middleware and the server continues serving (returning HTTP 500), but each request writes a multi-line panic stack trace to the error log. A low-bandwidth unauthenticated attacker can repeatedly probe the endpoint to flood the logs (about 37 lines per request), inflating disk usage and downstream log-ingestion cost and burying legitimate log events.

AnalysisAI

Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP GET to /api/orgs/lookup/<any_value>
Delivery
LookupOrg handler calls session.User() which returns nil
Exploit
Nil pointer dereference on user.ForgeID triggers Go runtime panic
Execution
Gin recovery middleware catches panic and returns HTTP 500
Persist
37-line goroutine stack trace written to error log per request
Impact
Repeat at scale to exhaust disk or overwhelm log pipeline

Vulnerability AssessmentAI

Exploitation The /api/orgs/lookup/*org_full_name API endpoint must be network-reachable - Woodpecker CI instances exposed to the internet or accessible from untrusted internal networks are at risk. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 with VA:L (low availability impact to the vulnerable system) accurately reflects the constrained blast radius: the server remains operational due to gin's recovery middleware, so impact is limited to log flooding, disk exhaustion, elevated log-ingestion costs, and analyst alert fatigue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a high-frequency stream of HTTP GET requests to /api/orgs/lookup/<arbitrary_string> on an internet-facing Woodpecker CI server. No exploit code or special tooling is required - a curl loop or any HTTP benchmarking tool suffices. …
Remediation Upgrade Woodpecker CI to version 3.15.0 or later; this is the vendor-released patch confirmed by release tag v3.15.0, pull request #6652, and commit 1fbacac3a43b75b6e5a0a40a4f720a0017c62010 (https://github.com/woodpecker-ci/woodpecker/commit/1fbacac3a43b75b6e5a0a40a4f720a0017c62010), with the full VulnCheck advisory at https://www.vulncheck.com/advisories/woodpecker-unauthenticated-null-pointer-dereference-in-api-orgs-lookup-enables-log-flooding-denial-of-service. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy