CVE-2026-52808
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
Gogs is an open source Git service that prior to version 0.14.3 had three API endpoints secured by reqRepoWriter() instead of reqRepoAdmin(). This allows collaborators with lower access levels than admin to perform unauthorized operations.
Risk Assessment
The organization may be exposed to unauthorized changes in repositories, such as disabling the native issue tracker or injecting malicious links, which could lead to data loss or user trust issues.
Recommendation
It is recommended to update Gogs to version 0.14.3 or later to secure the API against unauthorized access and review collaborator permissions.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.

