Unauthenticated NULL Pointer Dereference in Woodpecker

Executive Summary

CVE-2026-58369 is a vulnerability in Woodpecker versions before 3.15.0 where the /api/orgs/lookup/*org_full_name endpoint is registered without authentication middleware. The LookupOrg handler unconditionally dereferences the session user when selecting the forge to query. For unauthenticated requests, the session user is nil, causing a NULL pointer dereference that triggers a panic.

Although the panic is recovered by the gin recovery middleware and the server continues serving by returning HTTP 500 errors, each unauthenticated request writes a multi-line panic stack trace (about 37 lines) to the error log.

This allows a low-bandwidth unauthenticated attacker to repeatedly probe the endpoint, causing log flooding, inflating disk usage, increasing log-ingestion costs, and burying legitimate log events.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker to cause denial of service through log flooding.

• Repeated unauthenticated requests trigger a NULL pointer dereference panic, which is logged extensively (about 37 lines per request).
• The resulting log flooding inflates disk usage and increases costs associated with log ingestion.
• Legitimate log events can be buried under the flood of panic stack traces, potentially obscuring important operational or security information.
• The server continues to respond with HTTP 500 errors during these attacks, which may degrade service reliability or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the error logs of the Woodpecker server for repeated multi-line panic stack traces triggered by unauthenticated requests to the /api/orgs/lookup/*org_full_name endpoint.

Specifically, an unauthenticated HTTP request to this endpoint causes a NULL pointer dereference panic, which is logged as about 37 lines of stack trace per request.

To detect exploitation attempts or the vulnerability, you can search your server logs for these panic stack traces or HTTP 500 errors originating from requests to the /api/orgs/lookup endpoint.

• Use grep or similar tools to find panic stack traces in logs, for example:
• grep -A 30 'panic:' /path/to/woodpecker/error.log | grep '/api/orgs/lookup'
• Check for frequent HTTP 500 responses to unauthenticated requests targeting /api/orgs/lookup/* endpoints using tools like curl or by analyzing access logs.
• Example curl command to test the endpoint:
• curl -v http://your-woodpecker-server/api/orgs/lookup/someorgname

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Woodpecker to version 3.15.0 or later, where this vulnerability has been fixed.

The fix involves adding proper authentication middleware to the /api/orgs/lookup endpoint and improving error handling to prevent NULL pointer dereferences.

Until the upgrade can be applied, you can mitigate the risk by restricting access to the vulnerable endpoint, for example by firewall rules or reverse proxy configurations that block unauthenticated requests to /api/orgs/lookup/*.

Additionally, monitoring and alerting on unusual log flooding or HTTP 500 errors from this endpoint can help detect exploitation attempts.

Useful 0 Not Useful 0