Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass via unvalidated reverse proxy headers. When Gogs enables reverse proxy authentication, it accepts a header such as X‑WEBAUTH‑USER directly from client requests without confirming that the request originated from a trusted reverse proxy. This weakness is a form of insecure trust of external authentication info (CWE‑290). As a result, any remote user who can reach the Gogs service may forge this header, causing Gogs to authenticate as any user or automatically create a new account. This allows full impersonation and unauthorized access, violating confidentiality and integrity.

Affected Systems

Affected are installations of the Gogs open‑source Git service running any version prior to v0.14.3 when reverse proxy authentication is enabled.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attacker only needs network access to the Gogs instance. By sending a request with a forged X‑WEBAUTH‑USER header, the attacker can impersonate any existing user or create a new account, effectively bypassing authentication and gaining full control over the repository server.

Generated by OpenCVE AI on June 24, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gogs v0.14.3 or later to apply the official fix.
  • If upgrading is not immediately possible, disable reverse proxy authentication by setting ENABLE_REVERSE_PROXY_AUTHENTICATION to false and ensure that no external headers are accepted.
  • Alternatively, configure Gogs to validate the source of reverse proxy headers, restricting them to trusted IP addresses or internal networks, or change the header that is accepted for reverse proxy authentication.

Generated by OpenCVE AI on June 24, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w6j9-vw59-27wv Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers
History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.
Title Gogs: Authentication Bypass via Unvalidated Reverse Proxy Headers
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:07:32.497Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25119

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:00:04Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing