Skip to main content

Gogs CVE-2026-52804

| EUVDEUVD-2026-39072 MEDIUM
Off-by-one Error (CWE-193)
2026-06-23 https://github.com/gogs/gogs GHSA-4565-r4x7-hg8j
5.5
CVSS 4.0 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-exploitable via HTTP POST with PR:L because an existing admin collaborator role is required; high C/I/A because owner access enables full repository deletion and data destruction.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 24, 2026 - 21:22 NVD
5.5 (MEDIUM)
Source Code Evidence Fetched
Jun 23, 2026 - 17:31 vuln.today
Analysis Generated
Jun 23, 2026 - 17:31 vuln.today

DescriptionCVE.org

Summary

A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.

Vulnerable Code

In internal/database/repo_collaboration.go, line 129:

go
func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
    // Discard invalid input
    if mode <= AccessModeNone || mode > AccessModeOwner {
        return nil
    }

AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.

The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:

go
func ChangeCollaborationAccessMode(c *context.Context) {
    if err := c.Repo.Repository.ChangeCollaborationAccessMode(
        c.QueryInt64("uid"),
        database.AccessMode(c.QueryInt("mode"))); err != nil {

This allows an admin collaborator to POST mode=4 and escalate to owner.

Impact

A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to:

  • Delete the repository
  • Transfer repository ownership to another user
  • Erase wiki data
  • Perform all other owner-only operations

The access table is also updated (line 181), so the escalated permissions persist across sessions.

Contrast

The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.

Steps to Reproduce

  1. User A creates a private repository
  2. User A adds User B as a collaborator with Admin access (mode=3)
  3. User B logs in and navigates to the repository settings collaboration page
  4. User B sends a POST request:
   POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4
  1. User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons

Suggested Fix

Change the validation in internal/database/repo_collaboration.go line 129 from:

go
if mode <= AccessModeNone || mode > AccessModeOwner {

to:

go
if mode <= AccessModeNone || mode >= AccessModeOwner {

AnalysisAI

Privilege escalation in Gogs versions prior to 0.14.3 allows repository admin collaborators to elevate their own access to owner-level by exploiting an off-by-one boundary check in the ChangeCollaborationAccessMode function. The web route accepts a raw integer mode query parameter, and the faulty guard mode > AccessModeOwner evaluates to false when mode equals 4, letting an admin (mode=3) POST mode=4 to silently receive full owner privileges - including the ability to delete the repository, transfer ownership, and erase wiki data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin collaborator grant on target repository
Delivery
Authenticate to Gogs web interface
Exploit
POST mode=4 to collaboration access_mode route
Execution
Off-by-one check passes mode=4 as valid
Persist
Database persists owner-level access in access table
Impact
Execute owner-only operations (delete repository or transfer ownership)

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold admin collaborator access (AccessModeAdmin=3) explicitly granted by the repository owner - Gogs installations with no admin-level collaborators are not at risk from this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No NVD CVSS score is available at time of analysis; my independently assessed score of CVSS 3.1 8.8 (High) reflects network exploitability with a low-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been legitimately granted admin collaborator access (mode=3) to a private Gogs repository authenticates to the instance and sends a single crafted HTTP POST to `/{owner}/{repo}/settings/collaboration/access_mode?uid={their_own_uid}&mode=4`. The faulty boundary check passes mode=4 as valid, the database writes owner-level access to both the collaboration record and the persistent access table, and the attacker immediately gains access to the repository Danger Zone - enabling them to delete the repository or transfer ownership to an account they control. …
Remediation Upgrade Gogs to version 0.14.3 or later, which resolves the issue via commit 1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b and PR #8227 (https://github.com/gogs/gogs/pull/8227). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy