Skip to main content

EUVDEUVD-2026-39063

| CVE-2026-25119 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-22 https://github.com/gogs/gogs GHSA-w6j9-vw59-27wv
7.7
CVSS 4.0 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Header forging needs no privileges (PR:N) and is trivial (AC:L) once the non-default proxy-auth feature is on; admin impersonation compromises confidentiality and integrity, so C:H/I:H, A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 24, 2026 - 21:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 24, 2026 - 21:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 24, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 24, 2026 - 21:22 NVD
7.7 (HIGH)
Source Code Evidence Fetched
Jun 22, 2026 - 17:50 vuln.today
Analysis Generated
Jun 22, 2026 - 17:50 vuln.today

DescriptionCVE.org

Summary

When ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication.

Root Cause

The vulnerability exists because Gogs reads the authentication header directly from the incoming HTTP request without any verification that the header was set by a trusted reverse proxy.

Vulnerable Code Flow

In internal/context/auth.go lines 206-234:

go
func authenticatedUser(store AuthStore, ctx *macaron.Context, sess session.Store) (_ *database.User, isBasicAuth, isTokenAuth bool) {
    // ... existing auth checks ...

    if uid <= 0 {
        if conf.Auth.EnableReverseProxyAuthentication {
            // Reads header DIRECTLY from client request - NO VALIDATION!
            webAuthUser := ctx.Req.Header.Get(conf.Auth.ReverseProxyAuthenticationHeader)
            if len(webAuthUser) > 0 {
                user, err := store.GetUserByUsername(ctx.Req.Context(), webAuthUser)
                if err != nil {
                    if !database.IsErrUserNotExist(err) {
                        log.Error("Failed to get user by name: %v", err)
                        return nil, false, false
                    }

                    // Check if enabled auto-registration.
                    if conf.Auth.EnableReverseProxyAutoRegistration {
                        // Creates new user with forged username!
                        user, err = store.CreateUser(
                            ctx.Req.Context(),
                            webAuthUser,
                            gouuid.NewV4().String()+"@localhost",
                            database.CreateUserOptions{
                                Activated: true,
                            },
                        )
                        if err != nil {
                            log.Error("Failed to create user %q: %v", webAuthUser, err)
                            return nil, false, false
                        }
                    }
                }
                // Returns user as authenticated without any verification!
                return user, false, false
            }
        }
        // ... fallback to basic auth ...
    }
    // ...
}

The code has zero validation that:

  1. The request came through a reverse proxy
  2. The header was set by the proxy (not the client)
  3. Gogs is actually behind a reverse proxy
  4. The direct access to Gogs is restricted

The vulnerability occurs when:

  • Gogs is publicly accessible (e.g., 0.0.0.0:3000)
  • ENABLE_REVERSE_PROXY_AUTHENTICATION = true

Proof of Concept

Prerequisites

Gogs instance with the following configuration in custom/conf/app.ini:

ini
[auth]
ENABLE_REVERSE_PROXY_AUTHENTICATION = true

An attacker can impersonate any user including administrators:

bash
# Become admin instantly
curl http://gogs.example.com/ -H "X-WEBAUTH-USER: <username>"

<img width="1835" height="1143" alt="impersonation_example" src="https://github.com/user-attachments/assets/bae60772-5eb3-4f54-9fe0-5db01595bd56" />

Recommended Fixes

Add validation to ensure headers come from trusted sources:

go
func authenticatedUser(store AuthStore, ctx *macaron.Context, sess session.Store) (_ *database.User, isBasicAuth, isTokenAuth bool) {
    // ... existing code ...

    if uid <= 0 {
        if conf.Auth.EnableReverseProxyAuthentication {
            // Validate request is from trusted proxy
            if !isRequestFromTrustedProxy(ctx.Req) {
                log.Warn("Reverse proxy auth header received from untrusted source: %s", ctx.RemoteAddr())
                return nil, false, false
            }

            webAuthUser := ctx.Req.Header.Get(conf.Auth.ReverseProxyAuthenticationHeader)
            // ... rest of the code ...
        }
    }
    // ...
}

// New validation function
func isRequestFromTrustedProxy(req *http.Request) bool {
    // Check if request is from localhost/trusted IPs
    remoteIP := getRemoteIP(req)

    // Only accept from localhost by default
    if remoteIP.IsLoopback() {
        return true
    }

    // Check against configured trusted proxy IPs
    for _, trustedIP := range conf.Auth.TrustedProxyIPs {
        if remoteIP.String() == trustedIP {
            return true
        }
    }

    return false
}

Add configuration option:

ini
[auth]
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
REVERSE_PROXY_AUTHENTICATION_HEADER = X-WEBAUTH-USER
; Comma-separated list of trusted proxy IPs (default: 127.0.0.1)
TRUSTED_PROXY_IPS = 127.0.0.1,::1
; Whether to require trusted proxy validation (recommended: true)
REQUIRE_TRUSTED_PROXY = true

References

AnalysisAI

Authentication bypass in Gogs (self-hosted Git service) versions <= 0.14.2 allows any remote attacker who can reach the service to forge the X-WEBAUTH-USER header and impersonate any account, including administrators, when ENABLE_REVERSE_PROXY_AUTHENTICATION is turned on. Because Gogs trusts the reverse-proxy auth header without verifying the request actually came from the proxy, an attacker can also trigger automatic admin-level account creation if auto-registration is enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Publicly available exploit code exists; immediate action required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy