Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Repository Label Modification
Action: Patch
AI Analysis

Impact

This vulnerability is a broken access control flaw that allows an authenticated user who has write permission on any repository to modify labels belonging to other repositories. The flaw resides in the Web UI label update endpoint where the system fails to validate that the label being altered actually belongs to the repository in the URL. As a result, a malicious user could change labels across repositories, potentially undermining project organization, filtering, or reporting mechanisms. The weakness is a classic authorization bypass (CWE‑284).

Affected Systems

The affected product is Gogs, an open source self‑hosted Git service. Versions 0.13.4 and earlier are susceptible to the exploit. The issue was remedied in version 0.14.1, which reintroduced proper repository ownership checks on the label update handler.

Risk and Exploitability

The severity of the flaw is moderate with a CVSS score of 5.3, and the EPSS score indicates a very low probability of exploitation (<1%). It is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with write access to any repository. Such a user can issue a POST request to /:username/:reponame/labels/edit and target labels from other repositories because the ownership validation is bypassed. No additional prerequisites or conditions are apparent from the data, so the vulnerability requires only legitimate repository write permissions and the ability to perform HTTP requests to the web interface.

Generated by OpenCVE AI on April 18, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.1 or later to restore proper label ownership checks.
  • Review and limit write permissions for users to only those repositories they manage; users without write access should not be granted the ability to edit labels.
  • Ensure role‑based access control restricts label modification rights to project owners only.

Generated by OpenCVE AI on April 18, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cv22-72px-f4gh Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs
History

Thu, 19 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Thu, 19 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.
Title Gogs Authorization Bypass Allows Cross-Repository Label Modification
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:44:28.915Z

Reserved: 2026-01-30T14:44:47.328Z

Link: CVE-2026-25229

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:52.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T07:17:45.363

Modified: 2026-02-19T19:45:35.503

Link: CVE-2026-25229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses