Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of access tokens via URLs leading to credential leakage
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows the Gogs API to accept access tokens in URL query parameters such as token and access_token. Tokens included in URLs can be recorded in web server logs, stored in browser history, and transmitted via HTTP referrer headers. An individual with access to these logs or the ability to intercept network traffic could retrieve valid tokens, granting unauthorized access to repositories and potentially sensitive data. Though the flaw does not provide direct code execution or server compromise, it facilitates credential disclosure and an elevated risk of account take‑over.

Affected Systems

The issue affects all versions of Gogs prior to 0.14.2. The vendor product is Gogs, an open‑source self‑hosted Git service, and the vulnerable components are the API endpoints that parse URL query parameters for authentication tokens.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, while the EPSS score of less than 1% suggests very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed public exploits. Attackers could exploit the flaw by crafting URLs that include tokens or by intercepting traffic that contains such URLs. This requires either access to server logs or the ability to observe HTTP requests, making the attack vector likely to be either local or remote through traffic interception.

Generated by OpenCVE AI on April 16, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.2 or later, where the API no longer accepts tokens in URL parameters.
  • Search existing logs for exposed tokens and purge any sensitive entries immediately.
  • Modify application configuration or code to enforce that tokens are passed exclusively via Authorization headers and not via URL query parameters.

Generated by OpenCVE AI on April 16, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x9p5-w45c-7ffc Gogs: Access tokens get exposed through URL params in API requests
History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Vendors & Products Gogs
Gogs gogs
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
Title Gogs: Access tokens get exposed through URL params in API requests
Weaknesses CWE-598
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:08:07.473Z

Reserved: 2026-02-11T19:56:24.813Z

Link: CVE-2026-26196

cve-icon Vulnrichment

Updated: 2026-03-06T18:08:01.799Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:04.080

Modified: 2026-03-05T22:04:11.257

Link: CVE-2026-26196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses