Woodpecker CI gRPC Agent ID Spoofing Vulnerability Allows Cross-Tenant Impersonation
A vulnerability in Woodpecker CI's gRPC layer (CVE-2026-50141, CVSS 7.1) allows authenticated agents to impersonate other agents by spoofing the `agent_id` metadata. This issue enables cross-tenant impersonation, potentially leading to unauthorized access and privilege escalation. Affected versions include Woodpecker CI 3.0.0 to 3.14.1. Immediate patching or workarounds are recommended.