{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-58370/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-30T17:13:07.424Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-58370","@id":"https://www.cve.org/CVERecord?id=CVE-2026-58370","description":"Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A user who can open a merge request from a fork can set the commit author name to match an entry in ApprovalAllowedUsers, causing needsApproval to return false so the pipeline runs without the required app"},"products":[{"@id":"cpe:2.3:a:woodpecker-ci:woodpecker:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:woodpecker-ci:woodpecker:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 3.15.0.","timestamp":"2026-06-30T17:13:07.424Z"}]}