Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs allows users to create webhook deliveries that can be pointed at arbitrary URLs. Prior to version 0.14.3, the fix for a previous remote‑code execution vulnerability prevented webhooks from using URLs whose hostnames resolve to IPs in private or local CIDR ranges. However, the system still follows HTTP redirects, which means an attacker can point a webhook at a URL that redirects to an internal host, thereby enabling a Server‑Side Request Forgery. The vulnerability enables an attacker to cause Gogs to issue requests to internal resources, potentially exposing sensitive data or facilitating further attacks inside the network. This flaw is addressed by releases starting with 0.14.3. This is a CWE‑918 vulnerability.

Affected Systems

The affected product is Gogs, an open‑source self‑hosted Git service. Versions before 0.14.3 are vulnerable. No specific sub‑version list is provided, but any build of Gogs older than 0.14.3 is impacted.

Risk and Exploitability

The CVSS score for this weakness is 8.3, indicating substantial risk. The EPSS score is unavailable and it is not listed in CISA KEV. Attackers need the ability to add or trigger a webhook inside the Gogs instance; this requirement is inferred from typical permissions needed for creating or triggering hooks, and is not explicitly stated in the description. Once a webhook can be manipulated, the redirect‑follow flaw can cause Gogs to send requests to internal hosts, exposing internal resources and potentially enabling further exploitation of internal services. Overall risk remains high due to the severity score and the potential impact on internal network confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 24, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or newer, which removes the redirect‑follow flaw.
  • If upgrading immediately is not possible, restrict webhook URLs to only allow externally reachable domains and block or whitelist internal IP ranges.
  • Disabling redirect following for webhook deliveries, if the configuration option is available, prevents the vulnerability from being invoked.

Generated by OpenCVE AI on June 24, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4v7-xg93-qf8g Gogs has SSRF in webhook deliveries
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.
Title Gogs: SSRF in webhook deliveries
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:40:21.287Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47267

cve-icon Vulnrichment

Updated: 2026-06-25T12:40:06.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)