Skip to main content

Gogs CVE-2026-47267

| EUVDEUVD-2026-39064 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-22 https://github.com/gogs/gogs GHSA-c4v7-xg93-qf8g
8.3
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
8.5 HIGH

Webhook creation needs an authenticated privileged account (PR:L); SSRF to cloud metadata changes scope (S:C) and can expose high-value internal secrets (C:H), with limited integrity and no direct availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Jun 24, 2026 - 21:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 24, 2026 - 21:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 24, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 24, 2026 - 21:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
Jun 22, 2026 - 23:16 vuln.today
Analysis Generated
Jun 22, 2026 - 23:16 vuln.today

DescriptionCVE.org

Summary

The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.

This was already communicated in the initial report but it looks like there was a bit of a miscommunication.

Details

By creating a webook pointing to any URL that will return the following:

HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close

It is possible to access 169.254.169.254

PoC

  1. Run netcat on any server
  2. Use this server as the webhook URL
  3. Once you get the request from the webhook (for example by testing it), copy the response above

Results from running this on try.gogs:

{"droplet_id":456901166,"hostname":"gogs-do-nyc3-01","vendor_data":"Content-Type: multipart/mixed; boundary=\"===============8645434374073493512==\"\nMIME-Version: 1.0\n\n--===============8645434374073493512==\nMIME-Version: 1.0\nContent-Type: text/cloud-config; charset=\"us-ascii\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename=\"cloud-config\"\n\n#cloud-config\n\n
# Enable root and password auth\ndisable_roo...{"dhcp_enabled":false,"vpc_peering_enabled":false},"dotty_status":"running","ssh_info":{"port":22}}

Impact

Server Side Request Forgery

Fix

The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname

AnalysisAI

Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate and gain webhook config rights
Delivery
Point webhook at attacker-controlled host
Exploit
Trigger test/event delivery
Execution
Host returns 301 to 169.254.169.254
Persist
Client follows redirect to internal metadata
Impact
Exfiltrate cloud credentials/internal data

Vulnerability AssessmentAI

Exploitation Requires the ability to create or test a webhook in Gogs ≤ 0.14.2 (typically a repository-admin authenticated account) and an attacker-controlled HTTP endpoint that returns a 3xx redirect to an internal address such as http://169.254.169.254/. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, 8.3 High) reflects network reachability, low complexity, scope change (the SSRF lets the app act against other systems), and limited C/I/A. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Gogs user with webhook-configuration rights sets a webhook to an attacker-controlled external host and triggers a test delivery; that host responds with HTTP 301 redirecting to http://169.254.169.254/metadata/v1.json, which the pre-0.14.3 client follows, returning cloud-instance metadata (e.g., DigitalOcean droplet config) to the attacker. With low attack complexity (AC:L) and a documented PoC, the attacker can harvest internal service responses or cloud credentials and pivot further into the environment.
Remediation Upgrade to the vendor-released patch: Gogs 0.14.3, which adds an http.Client.CheckRedirect policy that refuses to follow webhook redirects (PR #8263 / commit 199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018; advisory GHSA-c4v7-xg93-qf8g). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Gogs instances running versions ≤0.14.2; immediately restrict webhook configuration permissions to system administrators only and disable webhooks if not operationally required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy