Impact
Gogs, an open‑source self‑hosted Git service, contains a cross‑site request forgery flaw in its organization member management API. The API accepts GET requests to add users to teams without CSRF protection, allowing an attacker to embed a crafted URL that, when visited by a logged‑in organization owner, adds the attacker’s account to the Owners team. As owners possess full administrative authority, the vulnerability leads to a complete takeover of the organization, enabling replication, deletion, and privileged configuration of repositories and team structures.
Affected Systems
Any deployment of Gogs older than version 0.14.3 is affected. This includes all releases of the 0.14.x series prior to v0.14.3 as well as any 0.13.x or earlier releases. The flaw exists in the core Gogs product and is independent of hosting platform or deployment size.
Risk and Exploitability
The CVSS score of 8.8 classifies the issue as high severity. EPSS data is not available, but the exploitation mechanism is trivial: an attacker only needs a separate user account on the target instance and a malicious link to lure a logged‑in owner to visit it. The vulnerability is not listed in CISA KEV, yet the absence of CSRF tokens makes social engineering straightforward. Successful exploitation results in immediate elevation to organization‑owner privileges, granting full control over repositories, access permissions, and organizational settings.
OpenCVE Enrichment
Github GHSA