Vela Insecure Defaults
Description
Insecure default configurations in Vela CI/CD allow container breakouts and unauthorized code execution; upgrade to patched versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure default configurations in Vela CI/CD allow container breakouts and unauthorized code execution; upgrade to patched versions.
Vulnerability
Details
CVE-2022-39395 describes multiple insecure default configurations in Vela Server, Worker, and UI prior to versions 0.16.0 and 0.17.0 [1]. The defaults include allowing privileged Docker images to run without explicit administrator intent, permitting any GitHub user to enable repositories on a publicly accessible instance, and enabling pull request events by default [3][4]. These settings collectively create a significant attack surface for container breakouts and unauthorized code execution.
Exploitation
An attacker with a GitHub account can enable a malicious repository on a publicly accessible Vela instance and trigger a build that runs a privileged container [3]. Because the default configuration allows the target/vela-docker plugin to run as privileged, the attacker can break out of the container and gain access to the worker host operating system [3][4]. Additionally, if pull request events are enabled, any user who can create a pull request against an enabled repository can trigger a Vela job, potentially accessing secrets configured for pull request builds [4].
Impact
Successful exploitation leads to container breakout, granting the attacker full control over the worker host. This can result in compromise of the entire CI/CD infrastructure, exposure of secrets, and lateral movement within the environment [3][4]. The risk is elevated for publicly accessible Vela instances not protected by a VPN.
Mitigation
Users should upgrade to Vela Server 0.16.0, Worker 0.16.0, and UI 0.17.0 [1]. After upgrading, administrators must explicitly change default settings to secure the instance. Workarounds include setting VELA_RUNTIME_PRIVILEGED_IMAGES to empty, using VELA_REPO_ALLOWLIST to restrict repository access, and auditing enabled repositories to disable pull request events if not needed [1][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-vela/serverGo | < 0.16.0 | 0.16.0 |
github.com/go-vela/workerGo | < 0.16.0 | 0.16.0 |
Affected products
3- ghsa-coords2 versions
< 0.16.0+ 1 more
- (no CPE)range: < 0.16.0
- (no CPE)range: < 0.16.0
Patches
105558ee99d70Merge pull request from GHSA-5m7g-pj8w-7593
1 file changed · +6 −6
api/repo.go+6 −6 modified@@ -153,8 +153,7 @@ func CreateRepo(c *gin.Context) { if !input.GetAllowPull() && !input.GetAllowPush() && !input.GetAllowDeploy() && !input.GetAllowTag() && !input.GetAllowComment() { - // default events to push and pull_request - r.SetAllowPull(true) + // default event to push r.SetAllowPush(true) } else { r.SetAllowComment(input.GetAllowComment()) @@ -1044,11 +1043,12 @@ func ChownRepo(c *gin.Context) { } // checkAllowlist is a helper function to ensure only repos in the -// allowlist are allowed to enable repos. If the allowlist is -// empty then any repo can be enabled. +// allowlist are allowed to enable repos. +// +// a single entry of '*' allows any repo to be enabled. func checkAllowlist(r *library.Repo, allowlist []string) bool { - // if the allowlist is not set or empty allow any repo to be enabled - if len(allowlist) == 0 { + // check if all repos are allowed to be enabled + if len(allowlist) == 1 && allowlist[0] == "*" { return true }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-5m7g-pj8w-7593ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39395ghsaADVISORY
- docs.docker.com/engine/security/ghsaWEB
- github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4ghsaWEB
- github.com/go-vela/server/releases/tag/v0.16.0ghsaWEB
- github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593ghsaWEB
- github.com/go-vela/ui/releases/tag/v0.17.0ghsaWEB
- github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889vghsaWEB
- github.com/go-vela/worker/releases/tag/v0.16.0ghsaWEB
- github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46wghsaWEB
- go-vela.github.io/docs/installation/server/reference/ghsaWEB
- go-vela.github.io/docs/installation/worker/reference/ghsaWEB
- pkg.go.dev/vuln/GO-2022-1100ghsaWEB
News mentions
0No linked articles in our index yet.