GO-2025-3509 Vela Server Has Insufficient Webhook Payload Data Verification in github.com/go-vela/server

Vela Server Has Insufficient Webhook Payload Data Verification in github.com/go-vela/server...

GHSA-9M63-33Q3-XQ5X Vela Server Has Insufficient Webhook Payload Data Verification

Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. Method By spoofing a webhook payload with a specific set of headers and body...

Vela Server Has Insufficient Webhook Payload Data Verification

Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. Method By spoofing a webhook payload with a specific set of headers and body...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

Vela Server 安全漏洞

Vela Server is a Vela open source pipeline automation CI/CD framework built on Linux container technology. A security vulnerability exists in Vela Server versions prior to 0.25.3 and prior to 0.26.3, which stems from a possible repository ownership transfer and secret disclosure via a spoofed...

GO-2022-1100 Vela Insecure Defaults in github.com/go-vela/server

Vela Insecure Defaults in github.com/go-vela/server...

Insecure Variable Substitution

github.com/go-vela/server is vulnerable to Insecure Variable Substitution. This vulnerability is due to the use of variable substitution combined with insensitive fields such as parameters, image, and entrypoint in Vela pipelines. The vulnerability allows an attacker to bypass log masking and...

CVE-2022-39395

CVE-2022-39395 : Vela’s default configuration allows container breakout in Vela Server/Worker (pre-0.16.0) and Vela UI (pre-0.17.0). Upgrading to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 is required to fix the issue; after patching, admins must explicitly adjust defaults to their desired confi...

PT-2022-24954 · Vela Ui +2 · Vela Ui +3

Name of the Vulnerable Software and Affected Versions: Vela Server versions prior to 0.16.0 Vela Worker versions prior to 0.16.0 Vela UI versions prior to 0.17.0 Description: The issue concerns default configurations in Vela that allow exploitation and container breakouts. Specifically, running...

Reject unauthorized access with GitHub PATs

Impact What kind of vulnerability is it? Who is impacted? The additional auth mechanism added within https://github.com/go-vela/server/pull/246 enables some malicious user to obtain secrets utilizing the injected credentials within the /.netrc file. Steps to reproduce 1. Create Vela server 2. Log...

Exposure of server configuration in github.com/go-vela/server

Impact What kind of vulnerability is it? Who is impacted? The ability to expose configuration set in the Vela server via pipeline template functionality. It impacts all users of Vela. Sample of template exposing server configuration using Sprig's env function: yaml metadata: template: true steps:...

GHSA-GV2H-GF8M-R68J Exposure of server configuration in github.com/go-vela/server

Impact What kind of vulnerability is it? Who is impacted? The ability to expose configuration set in the Vela server via pipeline template functionality. It impacts all users of Vela. Sample of template exposing server configuration using Sprig's env function: yaml metadata: template: true steps:...

PT-2021-14504 · Vela · Vela

Name of the Vulnerable Software and Affected Versions: Vela versions 0.7.0 through 0.7.4 Description: The issue concerns an authentication mechanism added in version 0.7.0 of Vela, which enables malicious users to obtain secrets by utilizing injected credentials within the /.netrc file. This can ...