CVE-2026-52795

MEDIUM 4.3

Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

CWE	CWE-863
Vendor	gogs
Product	gogs
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new medium vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

gogs / gogs

<= 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2 github.com: https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0