CVE Catalog

CVE-2026-52808

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

Gogs is an open source Git service that prior to version 0.14.3 had three API endpoints secured by reqRepoWriter() instead of reqRepoAdmin(). This allows collaborators with lower access levels than admin to perform unauthorized operations.

Risk Assessment

The organization may be exposed to unauthorized changes in repositories, such as disabling the native issue tracker or injecting malicious links, which could lead to data loss or user trust issues.

Recommendation

It is recommended to update Gogs to version 0.14.3 or later to secure the API against unauthorized access and review collaborator permissions.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS