Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name_CVE-2026-58370
Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, which is attacker-controlled and not ve...