CVE-2026-23632 - Vulnerability Details

- Gogs user can update repository content with read-only permission

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Published: 2026-02-06

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a user possessing only read‑only permissions to modify the contents of a repository by sending a "PUT /repos/:owner/:repo/contents/*" request. After passing a lax permission check, the backend commits and pushes the changes, thereby granting an attacker the ability to alter, add or delete files in the target repository. This grants the attacker significant impact on confidentiality and integrity of the repository content without requiring elevated privileges.

Affected Systems

The issue afflicts Gogs versions 0.13.3 and earlier. The fix is included in versions 0.13.4 and 0.14.0+, and later developments. Users running any older version should review their deployment and confirm the vulnerability applies.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% points to a very low exploitation probability at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. The likely attack vector is a compromised read‑only token, a credential that an attacker may obtain through phishing or credential reuse. If such a token is used by an attacker to call the vulnerable endpoint, they can modify repository contents, potentially injecting malicious code or disrupting service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gogs

affected

Version	Status	Constraints
`< 0.14.0+dev`	affected	—
`< 0.13.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Gogs	Gogs	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gogs to version 0.13.4 or any later 0.14.0+dev release where the permission check is corrected
Revoke or tightly scope any existing read‑only access tokens that have repository access and verify that only tokens with explicit write permissions can call the update content endpoint
As an interim measure, audit and restrict API access for read‑only tokens by disabling the vulnerable endpoint or adding an authorization filter to enforce write‑level checks

Generated by OpenCVE AI on April 17, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5qhx-gwfj-6jqr	Gogs user can update repository content with read-only permission

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr

History

Tue, 17 Feb 2026 22:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gogs:gogs::::::::

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gogs Gogs gogs
Vendors & Products		Gogs Gogs gogs

Fri, 06 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Title		Gogs user can update repository content with read-only permission
Weaknesses		CWE-862 CWE-863
References		https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Gogs Gogs

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-06T17:43:45.757Z

Updated: 2026-02-06T18:54:15.180Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23632

Vulnrichment

Updated: 2026-02-06T18:54:11.066Z

NVD

Status : Analyzed

Published: 2026-02-06T18:15:56.553

Modified: 2026-02-17T21:53:45.123

Link: CVE-2026-23632

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object