Skip to main content

Gogs EUVDEUVD-2026-39071

| CVE-2026-52799 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-22 https://github.com/gogs/gogs GHSA-p9f5-h3rx-j5qw
7.5
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated HTTP GET against default config; confidentiality-only disclosure of private attachments, no integrity or availability impact; AC:L because the request is trivial once a UUID is known.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 00:14 vuln.today
Analysis Generated
Jun 23, 2026 - 00:14 vuln.today

DescriptionCVE.org

Summary

In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository.

Description

/attachments/:uuid retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file without performing any authorization checks against the attachment’s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known.

Relevant code (internal/cmd/web.go:306):

go
m.Get("/attachments/:uuid", func(c *context.Context) {
	attach, err := database.GetAttachmentByUUID(c.Params(":uuid"))
	if err != nil {
		c.NotFoundOrError(err, "get attachment by UUID")
		return
	} else if !com.IsFile(attach.LocalPath()) {
		c.NotFound()
		return
	}

	fr, err := os.Open(attach.LocalPath())
	if err != nil {
		c.Error(err, "open attachment file")
		return
	}
	defer fr.Close()

	c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
	c.Header().Set("Cache-Control", "public,max-age=86400")
	c.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, attach.Name))

	if _, err = io.Copy(c.Resp, fr); err != nil {
		c.Error(err, "copy from file to response")
		return
	}
})

The UUID lookup itself also performs no validation tied to repository visibility or user permissions. Authorization is not enforced at this layer.

Relevant code (internal/database/attachment.go:124):

go
// GetAttachmentByUUID returns attachment by given UUID.
func GetAttachmentByUUID(uuid string) (*Attachment, error) {
	return getAttachmentByUUID(x, uuid)
}

Preconditions

  • The attacker knows the target attachment’s UUID (i.e., the attachment URL).
  • For unauthenticated exploitation: [auth] REQUIRE_SIGNIN_VIEW = false.
  • Even when REQUIRE_SIGNIN_VIEW = true, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment.

Steps to Reproduce

  1. Log in as an administrator and create a private repository, e.g. myadmin/idor-attach-1770724346-1a13bb.
  2. Add an attachment to an Issue in that repository and note the attachment UUID

(example UUID used during testing: f06d90f8-5b62-4c10-ac8d-f11fdf870b57).

  1. Log out and access the following as an unauthenticated user:
  • The repository page → 404 Not Found

<img width="1702" height="758" alt="image" src="https://github.com/user-attachments/assets/8fdb1d92-cfc3-4ef8-977e-60ec13f792df" />

  • The Issue page under that repository → 404 Not Found

<img width="1983" height="546" alt="image" src="https://github.com/user-attachments/assets/c44c5e69-8ca2-4ea6-a071-62302b7e896f" />

  • GET /attachments/<uuid>the attachment file is successfully downloaded

<img width="2007" height="378" alt="image" src="https://github.com/user-attachments/assets/23950ac6-6b3a-42f8-a06b-b9e0cf508d24" />

Minimum Required Privileges

  • REQUIRE_SIGNIN_VIEW = false: none (works without authentication).
  • REQUIRE_SIGNIN_VIEW = true: only the ability to log in (repository view permission is not required in practice).

Impact

  • Confidential information attached to private repositories or restricted Issues/Releases may be disclosed.
  • Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments.
  • While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.

AnalysisAI

Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The /attachments/:uuid endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when REQUIRE_SIGNIN_VIEW = false. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain attachment UUID from leak or log
Delivery
Send GET /attachments/<uuid> to Gogs instance
Exploit
Bypass missing authorization check
Execution
Receive raw private-repo attachment file
Impact
Exfiltrate credentials or sensitive data

Vulnerability AssessmentAI

Exploitation Attacker must know (or otherwise obtain) the version-4 UUID of a target attachment - guessing is infeasible, so realistic vectors are UUID leakage via referer headers, proxy/access logs, shared links, browser history, or prior legitimate access that was later revoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5 High) accurately captures a remote, unauthenticated, low-complexity confidentiality-only flaw - but real-world risk is meaningfully gated by UUID knowledge. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker harvests attachment UUIDs from any source that leaks them - public bug-report cross-references, browser-extension telemetry, web-proxy logs, a shared internal chat, or a former employee's bookmarks - then issues `GET https://gogs.example.com/attachments/<uuid>` directly, bypassing the 404 returned by the private repository and issue pages. The handler returns the raw file (often credentials, SSH keys, customer data, or unpublished source pasted into a private issue) without ever consulting repository ACLs. …
Remediation Vendor-released patch: upgrade to Gogs 0.14.3 or later (https://github.com/gogs/gogs/releases/tag/v0.14.3), which lands PR #8320 (https://github.com/gogs/gogs/pull/8320, commit d3ca23f9f33d5710472a775d6dcd3a7bb128bb05) and adds the missing `repo.HasAccess()` check on `/attachments/:uuid`. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify Gogs deployment version and catalog all private repositories in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy