Listen to this Post
CVE-2026-61549 is a privilege escalation vulnerability affecting Woodpecker CI instances that utilize the Kubernetes backend. The root cause lies in the pipeline option backend_options.kubernetes.serviceAccountName, which is passed directly to the Kubernetes pod specification without any administrative validation or gating.
When a pipeline is triggered, Woodpecker constructs a Kubernetes pod manifest to execute the CI jobs. The `serviceAccountName` field in this manifest determines which Kubernetes ServiceAccount the pod will use for authentication with the Kubernetes API server. Because this value is taken directly from user-supplied pipeline configuration options—rather than being restricted to a predefined allowlist or validated against the user’s permissions—any user with Push access to a connected repository can specify an arbitrary ServiceAccount name.
The attack surface is significant: an attacker with Push permissions can craft a `.woodpecker.yml` file that sets `backend_options.kubernetes.serviceAccountName` to a privileged ServiceAccount (e.g., one with cluster-admin bindings) that exists in the pipeline namespace. When the pipeline runs, the resulting pod operates with that ServiceAccount’s full RBAC permissions. This can lead to the exfiltration of sensitive secrets—including database credentials, API keys, and TLS certificates—and, in worst-case scenarios, full cluster takeover.
The vulnerable code paths are located in `pipeline/backend/kubernetes/backend_options.go` (where the `ServiceAccountName` field is defined) and `pipeline/backend/kubernetes/pod.go` (where it is assigned to the pod spec with no gating). The issue was introduced in commit `609ba481b5e912f59aaae8ca7bc22b44523c5e37` and affects all versions from v1.0.0 through v3.15.0. The patch is available in version v3.16.0.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | Woodpecker CI |
| Version | v1.0.0 – v3.15.0 |
| Vulnerability | Privilege Escalation |
| Severity | High |
| Date | 2026-07-01 |
| Prediction | Patch: 2026-07-15 |
What Undercode Say
Analytics
Check Woodpecker version woodpecker-server --version Identify vulnerable versions (1.0.0 through 3.15.0) All versions in this range are affected Check if Kubernetes backend is in use kubectl get pods -n <pipeline-namespace> -l app=woodpecker Audit existing ServiceAccounts in pipeline namespace kubectl get serviceaccounts -n <pipeline-namespace> Check for privileged ServiceAccounts kubectl get clusterrolebindings -o wide | grep -E "(cluster-admin|admin)"
Code Analysis
The vulnerable code flow:
// pipeline/backend/kubernetes/backend_options.go
// Field defined with no restrictions
type KubernetesBackendOptions struct {
ServiceAccountName string `json:"serviceAccountName,omitempty"`
// ... other fields
}
// pipeline/backend/kubernetes/pod.go
// Assigned directly to pod spec without validation
pod.Spec.ServiceAccountName = backendOptions.ServiceAccountName
// NO gating, NO validation, NO allowlist check
Detection Query
Search for pipelines exploiting this vulnerability Look for .woodpecker.yml files containing: backend_options: kubernetes: serviceAccountName: <suspicious-value>
Exploit
An attacker with Push permissions on a connected repository can exploit this vulnerability by creating a malicious `.woodpecker.yml` file:
.woodpecker.yml - Malicious pipeline steps: - name: exploit image: bitnami/kubectl:latest commands: - kubectl get secrets --all-namespaces - kubectl get clusterrolebindings - cat /var/run/secrets/kubernetes.io/serviceaccount/token backend_options: kubernetes: serviceAccountName: cluster-admin-sa Arbitrary privileged SA
When this pipeline is triggered, Woodpecker creates a pod in the pipeline namespace with serviceAccountName: cluster-admin-sa. If that ServiceAccount exists and has elevated permissions, the attacker gains those privileges, enabling:
– Secret exfiltration: Access to database credentials, API keys, TLS certificates
– Cluster takeover: Creation of new cluster-admin bindings
– Lateral movement: Access to other namespaces and workloads
Protection
Immediate Mitigations (No Upgrade)
- Restrict Push access: Limit repository Push permissions to trusted users only
2. Harden pipeline namespace:
Ensure no privileged ServiceAccount exists kubectl delete clusterrolebinding <privileged-binding> -n <pipeline-ns> Keep default ServiceAccount minimally privileged kubectl edit serviceaccount default -n <pipeline-ns>
3. Disable ServiceAccount token automounting:
apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: <pipeline-ns> automountServiceAccountToken: false
4. Enforce admission policy (OPA/Gatekeeper/Kyverno):
Kyverno policy to reject unexpected serviceAccountName apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-pipeline-sa spec: rules: - name: validate-serviceaccount match: resources: kinds: - Pod validate: message: "serviceAccountName must be 'default'" pattern: spec: serviceAccountName: "default"
5. Use isolated namespaces: Dedicated namespace per org/instance with no sensitive RBAC bindings
Permanent Fix
Upgrade to v3.16.0 or later, which contains the patch:
Upgrade Woodpecker server and agent helm upgrade woodpecker woodpecker/woodpecker --version 3.16.0 Or via Docker docker pull woodpeckerci/woodpecker-server:3.16.0
Impact
| Aspect | Details |
|–||
| Confidentiality | High – Secrets (DB credentials, API keys, TLS certs) can be exfiltrated |
| Integrity | High – Attacker can modify cluster resources and RBAC bindings |
| Availability | High – Full cluster takeover可能导致服务中断 |
| Attack Vector | Network – Requires Push access to a connected repository |
| Privileges Required | Low – Push permission on any connected repo |
| User Interaction | None – Pipeline runs automatically on push |
| Scope | Changed – Compromised pod affects entire cluster |
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

