Description
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an authorisation bypass in the Watch API of Gogs. An authenticated user can watch a private repository they are not entitled to access because the check is inverted. Watching a private repository puts its commit messages, branch names, issue titles, and pull‑request details into the attacker’s activity feed. If email notifications are enabled, the attacker also receives sensitive issue and comment contents via email, exposing private repository data. The weakness is a classic access‑control flaw, classified as CWE‑863.

Affected Systems

The affected product is Gogs, version 0.14.3 and all earlier releases. The base library was released as an open‑source self‑hosted Git service.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium level of severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate to the Gogs instance, but no further privileges are required. Once authenticated, the attacker can gain read‑only visibility of a private repository’s activity, including commit contents and discussion, which represents a moderate confidentiality breach. The likelihood of exploitation is uncertain due to missing EPSS data, but the attack path is straightforward for any user with an account.

Generated by OpenCVE AI on June 24, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to the latest released version, which removes the inverted access check in the Watch API.
  • If an upgrade is not immediately possible, disable the watch feature for private repositories or restrict the activity feed so that private repositories do not appear to other users.
  • If email notifications are enabled, reconfigure or temporarily disable notifications for private repository activity to prevent exposure of issue and comment content via email.

Generated by OpenCVE AI on June 24, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
Title Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:06:15.058Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52795

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:45:15Z

Weaknesses