Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository.
In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check for downloading attachments via the endpoint GET /attachments/:uuid. An attacker who can request an attachment UUID can retrieve the raw file without verifying that the requester has any view permission for the associated issue, comment, release or repository. This omission permits a disclosure of potentially sensitive information when the repository is private. The weakness is classified as IDOR (CWE‑639) and missing authorization (CWE‑862).

Affected Systems

Gogs Gogs running a version earlier than 0.14.3 is affected. The flaw manifests when the configuration flag REQUIRE_SIGNIN_VIEW is set to false, allowing unauthenticated users to access attachments in private repositories. Maintaining older releases or deploying Gogs without the patch exposes the system to this flaw.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity, and the flaw can be exploited by any network party that can reach the Gogs service, even when the repository is private. While the EPSS score is unavailable, the lack of a KEV listing suggests no widespread exploitation has been documented yet, but the combination of a public-facing service and painless unauthenticated file download provides a straightforward attack vector for attackers seeking data leakage.

Generated by OpenCVE AI on June 24, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later to apply the patch that restores proper authorization checks on attachment downloads
  • If an upgrade is not immediately possible, set the configuration variable REQUIRE_SIGNIN_VIEW to true so that attachment access requires authentication
  • Review network exposure of Gogs instances and ensure that private repositories are protected behind authentication and firewall rules

Generated by OpenCVE AI on June 24, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9f5-h3rx-j5qw Gogs Missing Authorization in Attachment Download
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.
Title Gogs: Missing Authorization in Attachment Download
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:13:25.093Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52799

cve-icon Vulnrichment

Updated: 2026-06-25T13:12:54.147Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-862

    Missing Authorization