A critical authentication bypass in the Gradient CI system allows unauthenticated attackers to register as workers and manipulate sensitive build artifacts.

When the default configuration is enabled, the application fails to perform proper credential checks for new worker registration. This allows an unauthenticated attacker to inject a new worker UUID and gain full access to the internal API.

An attacker can intercept jobs from all organizations, push arbitrary store paths, and potentially compromise the entire CI/CD pipeline. With a CVSS score of 9.4, this vulnerability risks the integrity of the software supply chain and sensitive source code.

Immediate Action: Update Gradient to version 1.1.1 or disable the discoverable feature if an update is not immediately feasible.

Proactive Monitoring: Review worker registration logs for unauthorized UUIDs or unexpected worker connections.

Compensating Controls: Restrict network access to the /proto endpoint to trusted internal networks only.

Public Exploit Available: Unknown

Gradient users must prioritize the update to version 1.1.1. Securing the CI/CD pipeline is paramount to preventing supply chain attacks and maintaining the integrity of your development environment.