CVE-2026-52808

HIGH 7.1

Gogs: Write-level collaborators can mutate admin-only repository settings via API

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.

CWE	CWE-863 CWE-269
Vendor	gogs
Product	gogs
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for gogs gogs

Be the first to know when new high vulnerabilities affecting gogs gogs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

gogs / gogs

< 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52 github.com: https://github.com/gogs/gogs/pull/8327 github.com: https://github.com/gogs/gogs/commit/6283462119bd8894f1599d70339b5e823f99954a github.com: https://github.com/gogs/gogs/releases/tag/v0.14.3