Skip to main content

Gogs CVE-2026-52795

| EUVDEUVD-2026-39062 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-24 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Requires only a valid low-privilege Gogs account (PR:L) over the network; impact is limited to metadata confidentiality disclosure with no integrity or availability consequences.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 24, 2026 - 20:51 vuln.today
Analysis Generated
Jun 24, 2026 - 20:51 vuln.today

DescriptionCVE.org

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

AnalysisAI

Private repository metadata in Gogs 0.14.3 and earlier leaks to any authenticated user due to a boolean inversion in the Watch API access control check. An authenticated attacker who watches a private repository they are not authorized to view will receive commit messages, branch names, issue titles, and PR details via their dashboard activity feed - and full issue and comment content via email if notifications are enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Gogs with valid low-privilege account
Delivery
Identify target private repository owner and name via enumeration or insider knowledge
Exploit
Send Watch subscription API request to private repository endpoint
Execution
Inverted access check grants watch permission instead of rejecting it
Persist
Monitor dashboard activity feed to harvest commit messages, branch names, and issue titles
Impact
Receive email notifications with full issue and comment content if server email is enabled

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Gogs account on the target instance - no administrative privileges or elevated roles are needed (CVSS PR:L confirms low-privilege access is sufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with the description: network-accessible, low complexity, requiring only a valid account, with limited confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Gogs user with a valid low-privilege account but no access to a target private repository sends a Watch subscription API request (e.g., PUT /api/v1/repos/{owner}/{private-repo}/subscription) after learning the repository name through enumeration or insider knowledge. The inverted access check grants the watch rather than blocking it, and the attacker's activity dashboard begins surfacing commit messages, branch names, issue titles, and PR details. …
Remediation The upstream fix is available as commit d61caa3676fde060d0c03ccf815851dddc7c67e0 at https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0, correcting the boolean inversion in the Watch API handler; however, no officially released patched version number has been confirmed from the available data, so organizations should monitor the vendor advisory at https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2 for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Gogs

View all
CVE-2014-8682 HIGH POC
7.5 Nov 21

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow r

CVE-2020-15867 HIGH POC
7.2 Oct 16

The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. Rated high severity (C

CVE-2024-39932 CRITICAL POC
9.9 Jul 04

Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this

CVE-2024-39930 CRITICAL POC
9.9 Jul 04

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code

CVE-2025-64111 CRITICAL POC
9.8 Feb 06

Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafte

CVE-2026-25242 CRITICAL POC
9.8 Feb 19

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload

CVE-2022-1986 CRITICAL POC
9.8 Jun 09

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

CVE-2026-25921 CRITICAL POC
9.3 Mar 05

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

CVE-2022-1992 CRITICAL POC
9.1 Jun 09

Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2022-0871 CRITICAL POC
9.1 Mar 11

Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. Rated critical severity (CVSS 9.1), this vulnerabi

CVE-2022-32174 CRITICAL POC
9.0 Oct 11

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account t

Share

CVE-2026-52795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy