Skip to main content

Gogs CVE-2026-52809

| EUVDEUVD-2026-39079 MEDIUM
Use of a Key Past its Expiration Date (CWE-324)
2026-06-23 https://github.com/gogs/gogs GHSA-5c3f-6486-3g7g
6.8
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

AC:H reflects the dual prerequisite of a misconfigured lifetime delta and prior token interception; C:H/I:H reflects full account takeover; A:N as no service disruption results.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:35 vuln.today
Analysis Generated
Jun 23, 2026 - 17:35 vuln.today

DescriptionCVE.org

Summary

Password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry.

Severity

Medium (CVSS 3.1: 6.8)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

  • Attack Vector: Network - the reset endpoint is reachable over HTTP/S.
  • Attack Complexity: High - successful exploitation requires (1) the instance to be configured with RESET_PASSWORD_CODE_LIVES < ACTIVATE_CODE_LIVES, AND (2) the attacker to have intercepted the victim's reset token (e.g., from a compromised or shared email inbox).
  • Privileges Required: None - no Gogs account is required.
  • User Interaction: Required - the victim must have triggered a password-reset request.
  • Scope: Unchanged - the impact is confined to the victim's Gogs account.
  • Confidentiality Impact: High - successful exploitation leads to account takeover, exposing all private repositories and data.
  • Integrity Impact: High - the attacker can change the victim's password and gain full write access.
  • Availability Impact: None.

Affected component

  • internal/userx/userx.go - GenerateActivateCode() (line 39)
  • internal/email/email.go - SendResetPasswordMail() (line 132)
  • internal/route/user/auth.go - verifyUserActiveCode() (lines 426-439) and ResetPasswdPost() (line 621)

CWE

  • CWE-324: Use of a Key Past Its Expiration Date
  • CWE-613: Insufficient Session Expiration

Description

The reset token lifetime is hardcoded to ActivateCodeLives at generation

GenerateActivateCode (called for both account activation and password reset) bakes conf.Auth.ActivateCodeLives - not ResetPasswordCodeLives - into the token as a 6-digit field:

go
// internal/userx/userx.go:36-46
func GenerateActivateCode(userID int64, email, name, password, rands string) string {
    code := tool.CreateTimeLimitCode(
        fmt.Sprintf("%d%s%s%s%s", userID, email, strings.ToLower(name), password, rands),
        conf.Auth.ActivateCodeLives,   // ← always ActivateCodeLives, never ResetPasswordCodeLives
        nil,
    )
    code += hex.EncodeToString([]byte(strings.ToLower(name)))
    return code
}

CreateTimeLimitCode embeds the minutes value at positions 12-17 of the token:

Token format: YYYYMMDDHHMM (12) | 000180 (6-digit lives) | SHA1 (40) | hex-username

SendResetPasswordMail calls u.GenerateEmailActivateCode(u.Email()) - which resolves to GenerateActivateCode - with no option to pass a different lifetime:

go
// internal/email/email.go:131-132
func SendResetPasswordMail(c *macaron.Context, u User) error {
    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateEmailActivateCode(u.Email()), ...)
}

ResetPasswordCodeLives is used only for display, not enforcement

VerifyTimeLimitCode discards the minutes argument and re-extracts the lifetime directly from the token itself:

go
// internal/tool/tool.go:62-86
func VerifyTimeLimitCode(data string, minutes int, code string) bool {
    start := code[:12]
    lives := code[12:18]
    if d, err := strconv.Atoi(lives); err == nil {
        minutes = d    // ← argument overridden by value baked into the token
    }
    retCode := CreateTimeLimitCode(data, minutes, start)
    if retCode == code && minutes > 0 {
        before, _ := time.ParseInLocation("200601021504", start, time.Local)
        if before.Add(time.Minute * time.Duration(minutes)).Unix() > now.Unix() {
            return true
        }
    }
    return false
}

The verifyUserActiveCode caller passes conf.Auth.ActivateCodeLives as minutes, but it makes no difference:

go
// internal/route/user/auth.go:426-439
func verifyUserActiveCode(code string) (user *database.User) {
    minutes := conf.Auth.ActivateCodeLives   // passed to VerifyTimeLimitCode but immediately overridden
    if user = parseUserFromCode(code); user != nil {
        prefix := code[:tool.TimeLimitCodeLength]
        data := strconv.FormatInt(user.ID, 10) + user.Email + user.LowerName + user.Password + user.Rands
        if tool.VerifyTimeLimitCode(data, minutes, prefix) {
            return user
        }
    }
    return nil
}

ResetPasswdPost validates the reset token through verifyUserActiveCode, so it inherits the same flaw:

go
// internal/route/user/auth.go:621
if u := verifyUserActiveCode(code); u != nil {

ResetPasswordCodeLives appears only in email template data and in the admin config display - it has zero effect on actual token validation:

go
// internal/email/email.go:109 - template data only, not used to generate the token
"ResetPwdCodeLives": conf.Auth.ResetPasswordCodeLives / 60,

Full execution chain

  1. Victim requests reset: POST /user/forget_passwordSendResetPasswordMail generates a token embedding ActivateCodeLives = 180 at bytes 12-17.
  2. Email delivered: The reset email says "link valid for 10 minutes" (from ResetPwdCodeLives in the template) but the embedded lifetime is 180.
  3. RESET_PASSWORD_CODE_LIVES window closes: After 10 minutes the victim believes the link has expired.
  4. Attacker submits the token: POST /user/reset_password?code=<TOKEN>ResetPasswdPostverifyUserActiveCodeVerifyTimeLimitCode extracts 000180 from the token → confirms the token has not yet reached the 180-minute mark → returns the user object → password is updated.
  5. Account takeover: Attacker sets a new password and authenticates as the victim.

Proof of Concept

ini
# app.ini configuration that exposes the bug:
[auth]
ACTIVATE_CODE_LIVES = 180
RESET_PASSWORD_CODE_LIVES = 10
bash
# 1) Request password reset for victim account
curl -i -X POST -d 'email=victim@example.com' http://HOST/user/forget_password
# 2) Obtain the reset link from the email.
#    Wait 11 minutes (past RESET_PASSWORD_CODE_LIVES, within ACTIVATE_CODE_LIVES).
# 3) Submit the "expired" reset code - it still succeeds
curl -i -X POST \
  -d 'code=<CODE_FROM_EMAIL>&password=AttackerNewPass' \
  'http://HOST/user/reset_password?code=<CODE_FROM_EMAIL>'
# Expected: HTTP 302 redirect to /user/login - password successfully changed
# despite the reset window having "closed" 10 minutes ago.

Impact

  • An administrator who sets RESET_PASSWORD_CODE_LIVES shorter than ACTIVATE_CODE_LIVES to limit the window of exposure for intercepted reset emails gets no security benefit from that configuration.
  • Reset tokens remain valid for the full activation lifetime (default 3 hours), giving an attacker who has intercepted a reset email a much larger window to use it.
  • The reset email actively misleads users by advertising a shorter expiry that is never enforced.
  • All password-reset operations are affected; there is no per-user or per-request way to issue a correctly-expiring token.

Recommended remediation

Option 1: Add a ResetPasswordCodeLives-aware generation function (preferred)

Introduce a dedicated code-generation path that passes conf.Auth.ResetPasswordCodeLives instead of ActivateCodeLives:

go
// internal/userx/userx.go
func GenerateResetPasswordCode(userID int64, email, name, password, rands string) string {
    code := tool.CreateTimeLimitCode(
        fmt.Sprintf("%d%s%s%s%s", userID, email, strings.ToLower(name), password, rands),
        conf.Auth.ResetPasswordCodeLives,   // ← correct lifetime
        nil,
    )
    code += hex.EncodeToString([]byte(strings.ToLower(name)))
    return code
}

Update email.User to expose this through the interface:

go
// internal/email/email.go interface
GenerateResetPasswordCode(email string) string

Update SendResetPasswordMail to call it:

go
func SendResetPasswordMail(c *macaron.Context, u User) error {
    return SendUserMail(c, u, tmplAuthResetPassword, u.GenerateResetPasswordCode(u.Email()), ...)
}

Because VerifyTimeLimitCode reads the lifetime from the token itself, no change to the verification side is required - tokens generated with ResetPasswordCodeLives will automatically expire at the correct time.

Option 2: Validate the extracted lifetime against the configured maximum

Add a post-extraction check in VerifyTimeLimitCode or in the reset-specific verification function to reject tokens whose embedded lifetime exceeds ResetPasswordCodeLives:

go
// in verifyUserActiveCode, after extracting the prefix:
embeddedLives := ... // parse positions 12-18 of the code
if embeddedLives > conf.Auth.ResetPasswordCodeLives {
    return nil  // reject tokens with a longer-than-allowed lifetime
}

This is a defence-in-depth measure but does not fix the root cause; Option 1 is preferred.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured RESET_PASSWORD_CODE_LIVES setting, because GenerateActivateCode() hardcodes conf.Auth.ActivateCodeLives into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Victim requests Gogs password reset
Delivery
Server generates token embedding ActivateCodeLives (e.g., 180 min)
Exploit
Reset email advertises shorter false expiry (e.g., 10 min)
Install
Attacker reads intercepted reset email after 10-min window closes
C2
Submits token to POST /user/reset_password
Execute
VerifyTimeLimitCode extracts embedded 180-min lifetime, accepts token
Impact
Attacker sets new password and achieves account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions to hold: (1) the Gogs instance must be configured in `app.ini` with `RESET_PASSWORD_CODE_LIVES` set to a value strictly less than `ACTIVATE_CODE_LIVES` - instances where both values are equal or where `RESET_PASSWORD_CODE_LIVES` was never explicitly reduced below the default are not exploitable beyond the normal token window; and (2) the attacker must have obtained the victim's password-reset token from the reset email, most likely via a shared, forwarded, or otherwise compromised mailbox. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.8 (Medium, AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) is well-calibrated: the AC:H rating reflects two mandatory simultaneous conditions that significantly constrain the realistic attacker population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with read access to a victim's email account - via a shared inbox, email forwarding rule, or compromised mail credentials - waits for the victim to trigger a Gogs password-reset request, then allows the administrator-configured `RESET_PASSWORD_CODE_LIVES` window (e.g., 10 minutes) to elapse so the victim believes the link is expired. The attacker then submits the intercepted token to `POST /user/reset_password?code=<TOKEN>` up to 170 minutes later; because the token embeds the 180-minute `ACTIVATE_CODE_LIVES` value, `VerifyTimeLimitCode` accepts it and updates the victim's password. …
Remediation Upgrade Gogs to version 0.14.3 or later; the patch is confirmed via GitHub PR #8328 (https://github.com/gogs/gogs/pull/8328) and commit 187e9c557930eb4a8b9b1502ee45cccf3255ee7f, which introduces a dedicated `GenerateResetPasswordCode()` function that correctly uses `conf.Auth.ResetPasswordCodeLives` as the token lifetime. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy