Impact
The vulnerability is a missing authorization check for downloading attachments via the endpoint GET /attachments/:uuid. An attacker who can request an attachment UUID can retrieve the raw file without verifying that the requester has any view permission for the associated issue, comment, release or repository. This omission permits a disclosure of potentially sensitive information when the repository is private. The weakness is classified as IDOR (CWE‑639) and missing authorization (CWE‑862).
Affected Systems
Gogs Gogs running a version earlier than 0.14.3 is affected. The flaw manifests when the configuration flag REQUIRE_SIGNIN_VIEW is set to false, allowing unauthenticated users to access attachments in private repositories. Maintaining older releases or deploying Gogs without the patch exposes the system to this flaw.
Risk and Exploitability
The CVSS base score of 7.5 indicates a high severity, and the flaw can be exploited by any network party that can reach the Gogs service, even when the repository is private. While the EPSS score is unavailable, the lack of a KEV listing suggests no widespread exploitation has been documented yet, but the combination of a public-facing service and painless unauthenticated file download provides a straightforward attack vector for attackers seeking data leakage.
OpenCVE Enrichment
Github GHSA