Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Published: 2026-02-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in the Gogs source-code Git service allows a user with authentication to terminate the application by deleting a repository file before the system synchronizes it. The bug triggers an internal crash, disrupting the availability of the service for all users. The weakness is categorized as a missing authorization flaw (CWE‑862).

Affected Systems

The vulnerability affects the Gogs self-hosted Git service for all installations running version 0.13.3 or earlier. The issue has been fixed in 0.13.4 and in subsequent development builds 0.14.0+.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS value of less than 1% suggests a low probability of exploitation. Because the attack requires an authenticated user with write access to a repository, the threat surface is limited primarily to insiders or compromised accounts, and it is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to 0.13.4 or later (including 0.14.0+dev).
  • If an upgrade cannot be performed immediately, restrict deletion of repository files or temporarily disable synchronization until the update is applied.
  • Configure file‑system permissions to prevent users from deleting repository files that are not already scheduled for removal, thereby reducing the chance of a crash.

Generated by OpenCVE AI on April 18, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cr88-6mqm-4g57 Gogs has a Denial of Service issue
History

Tue, 17 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Title Gogs is Vulnerable to Denial of Service
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:55:18.874Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22592

cve-icon Vulnrichment

Updated: 2026-02-06T18:55:03.347Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:56.357

Modified: 2026-02-17T21:40:59.010

Link: CVE-2026-22592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses