Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable via HTTP POST with PR:L because an existing admin collaborator role is required; high C/I/A because owner access enables full repository deletion and data destruction.
Primary rating from Vendor (https://github.com/gogs/gogs).
CVSS VectorVendor: https://github.com/gogs/gogs
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.
Vulnerable Code
In internal/database/repo_collaboration.go, line 129:
func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
// Discard invalid input
if mode <= AccessModeNone || mode > AccessModeOwner {
return nil
}AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.
The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:
func ChangeCollaborationAccessMode(c *context.Context) {
if err := c.Repo.Repository.ChangeCollaborationAccessMode(
c.QueryInt64("uid"),
database.AccessMode(c.QueryInt("mode"))); err != nil {This allows an admin collaborator to POST mode=4 and escalate to owner.
Impact
A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to:
- Delete the repository
- Transfer repository ownership to another user
- Erase wiki data
- Perform all other owner-only operations
The access table is also updated (line 181), so the escalated permissions persist across sessions.
Contrast
The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.
Steps to Reproduce
- User A creates a private repository
- User A adds User B as a collaborator with Admin access (mode=3)
- User B logs in and navigates to the repository settings collaboration page
- User B sends a POST request:
POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4- User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons
Suggested Fix
Change the validation in internal/database/repo_collaboration.go line 129 from:
if mode <= AccessModeNone || mode > AccessModeOwner {to:
if mode <= AccessModeNone || mode >= AccessModeOwner {AnalysisAI
Privilege escalation in Gogs versions prior to 0.14.3 allows repository admin collaborators to elevate their own access to owner-level by exploiting an off-by-one boundary check in the ChangeCollaborationAccessMode function. The web route accepts a raw integer mode query parameter, and the faulty guard mode > AccessModeOwner evaluates to false when mode equals 4, letting an admin (mode=3) POST mode=4 to silently receive full owner privileges - including the ability to delete the repository, transfer ownership, and erase wiki data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold admin collaborator access (AccessModeAdmin=3) explicitly granted by the repository owner - Gogs installations with no admin-level collaborators are not at risk from this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No NVD CVSS score is available at time of analysis; my independently assessed score of CVSS 3.1 8.8 (High) reflects network exploitability with a low-privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been legitimately granted admin collaborator access (mode=3) to a private Gogs repository authenticates to the instance and sends a single crafted HTTP POST to `/{owner}/{repo}/settings/collaboration/access_mode?uid={their_own_uid}&mode=4`. The faulty boundary check passes mode=4 as valid, the database writes owner-level access to both the collaboration record and the persistent access table, and the attacker immediately gains access to the repository Danger Zone - enabling them to delete the repository or transfer ownership to an account they control. … |
| Remediation | Upgrade Gogs to version 0.14.3 or later, which resolves the issue via commit 1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b and PR #8227 (https://github.com/gogs/gogs/pull/8227). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39072
GHSA-4565-r4x7-hg8j