Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Requires only a valid low-privilege Gogs account (PR:L) over the network; impact is limited to metadata confidentiality disclosure with no integrity or availability consequences.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
AnalysisAI
Private repository metadata in Gogs 0.14.3 and earlier leaks to any authenticated user due to a boolean inversion in the Watch API access control check. An authenticated attacker who watches a private repository they are not authorized to view will receive commit messages, branch names, issue titles, and PR details via their dashboard activity feed - and full issue and comment content via email if notifications are enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Gogs account on the target instance - no administrative privileges or elevated roles are needed (CVSS PR:L confirms low-privilege access is sufficient). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with the description: network-accessible, low complexity, requiring only a valid account, with limited confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Gogs user with a valid low-privilege account but no access to a target private repository sends a Watch subscription API request (e.g., PUT /api/v1/repos/{owner}/{private-repo}/subscription) after learning the repository name through enumeration or insider knowledge. The inverted access check grants the watch rather than blocking it, and the attacker's activity dashboard begins surfacing commit messages, branch names, issue titles, and PR details. … |
| Remediation | The upstream fix is available as commit d61caa3676fde060d0c03ccf815851dddc7c67e0 at https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0, correcting the boolean inversion in the Watch API handler; however, no officially released patched version number has been confirmed from the available data, so organizations should monitor the vendor advisory at https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2 for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow r
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. Rated high severity (C
Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code
Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafte
Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.8), this vulnerabil
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9. Rated critical severity (CVSS 9.1), this vulnerability is
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. Rated critical severity (CVSS 9.1), this vulnerabi
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account t
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39062