CVE-2026-52795
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Gogs is an open-source Git service that in version 0.14.3 and earlier allows authenticated users to watch private repositories they do not have access to. The issue arises from an incorrectly implemented access check in the Watch API, enabling attackers to access information from private repositories.
Risk Assessment
Organizations may be exposed to the leakage of sensitive information from private repositories, potentially leading to data breaches and loss of customer trust.
Recommendation
It is recommended to update Gogs to the latest version to fix the access control issue and review user permissions for private repositories.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

