Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Header forging needs no privileges (PR:N) and is trivial (AC:L) once the non-default proxy-auth feature is on; admin impersonation compromises confidentiality and integrity, so C:H/I:H, A:N.
Primary rating from Vendor (https://github.com/gogs/gogs).
CVSS VectorVendor: https://github.com/gogs/gogs
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
When ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication.
Root Cause
The vulnerability exists because Gogs reads the authentication header directly from the incoming HTTP request without any verification that the header was set by a trusted reverse proxy.
Vulnerable Code Flow
In internal/context/auth.go lines 206-234:
func authenticatedUser(store AuthStore, ctx *macaron.Context, sess session.Store) (_ *database.User, isBasicAuth, isTokenAuth bool) {
// ... existing auth checks ...
if uid <= 0 {
if conf.Auth.EnableReverseProxyAuthentication {
// Reads header DIRECTLY from client request - NO VALIDATION!
webAuthUser := ctx.Req.Header.Get(conf.Auth.ReverseProxyAuthenticationHeader)
if len(webAuthUser) > 0 {
user, err := store.GetUserByUsername(ctx.Req.Context(), webAuthUser)
if err != nil {
if !database.IsErrUserNotExist(err) {
log.Error("Failed to get user by name: %v", err)
return nil, false, false
}
// Check if enabled auto-registration.
if conf.Auth.EnableReverseProxyAutoRegistration {
// Creates new user with forged username!
user, err = store.CreateUser(
ctx.Req.Context(),
webAuthUser,
gouuid.NewV4().String()+"@localhost",
database.CreateUserOptions{
Activated: true,
},
)
if err != nil {
log.Error("Failed to create user %q: %v", webAuthUser, err)
return nil, false, false
}
}
}
// Returns user as authenticated without any verification!
return user, false, false
}
}
// ... fallback to basic auth ...
}
// ...
}The code has zero validation that:
- The request came through a reverse proxy
- The header was set by the proxy (not the client)
- Gogs is actually behind a reverse proxy
- The direct access to Gogs is restricted
The vulnerability occurs when:
- Gogs is publicly accessible (e.g.,
0.0.0.0:3000) ENABLE_REVERSE_PROXY_AUTHENTICATION = true
Proof of Concept
Prerequisites
Gogs instance with the following configuration in custom/conf/app.ini:
[auth]
ENABLE_REVERSE_PROXY_AUTHENTICATION = trueAn attacker can impersonate any user including administrators:
# Become admin instantly
curl http://gogs.example.com/ -H "X-WEBAUTH-USER: <username>"<img width="1835" height="1143" alt="impersonation_example" src="https://github.com/user-attachments/assets/bae60772-5eb3-4f54-9fe0-5db01595bd56" />
Recommended Fixes
Add validation to ensure headers come from trusted sources:
func authenticatedUser(store AuthStore, ctx *macaron.Context, sess session.Store) (_ *database.User, isBasicAuth, isTokenAuth bool) {
// ... existing code ...
if uid <= 0 {
if conf.Auth.EnableReverseProxyAuthentication {
// Validate request is from trusted proxy
if !isRequestFromTrustedProxy(ctx.Req) {
log.Warn("Reverse proxy auth header received from untrusted source: %s", ctx.RemoteAddr())
return nil, false, false
}
webAuthUser := ctx.Req.Header.Get(conf.Auth.ReverseProxyAuthenticationHeader)
// ... rest of the code ...
}
}
// ...
}
// New validation function
func isRequestFromTrustedProxy(req *http.Request) bool {
// Check if request is from localhost/trusted IPs
remoteIP := getRemoteIP(req)
// Only accept from localhost by default
if remoteIP.IsLoopback() {
return true
}
// Check against configured trusted proxy IPs
for _, trustedIP := range conf.Auth.TrustedProxyIPs {
if remoteIP.String() == trustedIP {
return true
}
}
return false
}Add configuration option:
[auth]
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
REVERSE_PROXY_AUTHENTICATION_HEADER = X-WEBAUTH-USER
; Comma-separated list of trusted proxy IPs (default: 127.0.0.1)
TRUSTED_PROXY_IPS = 127.0.0.1,::1
; Whether to require trusted proxy validation (recommended: true)
REQUIRE_TRUSTED_PROXY = trueReferences
AnalysisAI
Authentication bypass in Gogs (self-hosted Git service) versions <= 0.14.2 allows any remote attacker who can reach the service to forge the X-WEBAUTH-USER header and impersonate any account, including administrators, when ENABLE_REVERSE_PROXY_AUTHENTICATION is turned on. Because Gogs trusts the reverse-proxy auth header without verifying the request actually came from the proxy, an attacker can also trigger automatic admin-level account creation if auto-registration is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Publicly available exploit code exists; immediate action required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39063
GHSA-w6j9-vw59-27wv