CVE-2026-25119

UNKNOWN 0.0

Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.

CWE	CWE-290
Vendor	gogs
Product	gogs
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new unknown vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gogs / gogs

< 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv github.com: https://github.com/gogs/gogs/pull/8264 github.com: https://github.com/gogs/gogs/commit/0089c4c8e5b8d99eb6e5c8727f8f40d765f1f58a github.com: https://github.com/gogs/gogs/releases/tag/v0.14.3