Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs, an open‑source self‑hosted Git service, contains a cross‑site request forgery flaw in its organization member management API. The API accepts GET requests to add users to teams without CSRF protection, allowing an attacker to embed a crafted URL that, when visited by a logged‑in organization owner, adds the attacker’s account to the Owners team. As owners possess full administrative authority, the vulnerability leads to a complete takeover of the organization, enabling replication, deletion, and privileged configuration of repositories and team structures.

Affected Systems

Any deployment of Gogs older than version 0.14.3 is affected. This includes all releases of the 0.14.x series prior to v0.14.3 as well as any 0.13.x or earlier releases. The flaw exists in the core Gogs product and is independent of hosting platform or deployment size.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. EPSS data is not available, but the exploitation mechanism is trivial: an attacker only needs a separate user account on the target instance and a malicious link to lure a logged‑in owner to visit it. The vulnerability is not listed in CISA KEV, yet the absence of CSRF tokens makes social engineering straightforward. Successful exploitation results in immediate elevation to organization‑owner privileges, granting full control over repositories, access permissions, and organizational settings.

Generated by OpenCVE AI on June 24, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later to apply the vendor‑supplied fix that adds CSRF protection to organization member management endpoints.
  • If an upgrade is not immediately possible, reconfigure the service so that membership changes are accepted only via POST requests that require a CSRF token, or disable the vulnerable GET endpoint entirely.
  • Enable multi‑factor authentication for organization owners and regularly audit the Owners team membership to detect any unauthorized additions.

Generated by OpenCVE AI on June 24, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwx3-qcgw-vh7h Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
History

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.
Title Gogs: CSRF Leading to Organization Owner Takeover
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:47.019Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52800

cve-icon Vulnrichment

Updated: 2026-06-25T15:38:23.758Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)