What happened
Woodpecker CI 3.0.0–3.14.0 verifies JWT tokens in gRPC requests but does not enforce that the agent_id in the request metadata matches the verified identity from the JWT. An attacker can supply an arbitrary agent_id and the server will trust it.
Why it matters
For AI/ML workloads, agents often have access to model training data, GPUs, and credentials. Agent impersonation allows an attacker to execute malicious jobs with the privileges of a different agent, potentially stealing data or pivoting to other infrastructure.
Attack vector
Woodpecker CI's gRPC layer validates JWT tokens correctly but then discards the verified agent identity in favor of a client-supplied agent_id value in the gRPC metadata. An authenticated attacker controlling one agent can inject a forged agent_id to impersonate another agent, executing jobs as that agent.
Affected systems
Woodpecker CI 3.0.0–3.14.0
Mitigation
Update to Woodpecker CI v3.14.1 or later; enforce that the agent_id in requests matches the JWT-verified identity; disable user agent registration if not needed.