CVE-2026-52808 - Vulnerability Details

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.

Published: 2026-06-24

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Gogs is an open‑source self‑hosted Git service. Prior to version 0.14.3, three API endpoints—PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync—were protected by a write‑level check rather than an admin check. While the web UI actions for these settings require admin access, the API endpoints permitted any collaborator with write permission to invoke them. Consequently a write collaborator can disable the native issue tracker or wiki, inject attacker‑controlled external tracker or wiki URLs that redirect all repository visitors, or trigger mirror sync—all of which they are not authorized to do. The vulnerability is fixed in 0.14.3.

Affected Systems

The flaw impacts all Gogs releases prior to 0.14.3. Any instance of the self‑hosted Git server running an earlier version with repositories that have write collaborators is vulnerable. The vulnerability is identified as aWE‑269) and a missing authorization check (CWE‑863).

Risk and Exploitability

The vulnerability scores a moderate severity CVSS of 7.1. No EPSS score is currently available and the issue is not listed in CISA’s KEV catalog, suggesting that exploitation has not been widely observed. The likely attack vector is authenticated API calls; an attacker must first be a write‑level collaborator the offender has legitimate write permissions, they can trivially elevate their influence over repository settings unless mitigated by an updated version or manual controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gogs

affected

Version	Status	Constraints
`< 0.14.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gogs to v0.14.3 or newer to correct the permission checks on the affected API endpoints.
Reduce write‑level collaborator permissions wherever possible, retaining admin privileges only for trusted users.
Monitor API usage logs for unexpected writes to the issue tracker, wiki, or mirror‑sync endpoints and alert on non‑admin activity.

Generated by OpenCVE AI on June 25, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-268j-37xf-pp52	Gogs's write-level collaborators can mutate admin-only repository settings via API

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/gogs/gogs/commit/6283462119bd8894f1599d70339b5e823f99954a
https://github.com/gogs/gogs/pull/8327
https://github.com/gogs/gogs/releases/tag/v0.14.3
https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync — none of which they are authorized to do. This vulnerability is fixed in 0.14.3.
Title		Gogs: Write-level collaborators can mutate admin-only repository settings via API
Weaknesses		CWE-269 CWE-863
References		https://github.com/gogs/gogs/commit/6283462119bd8894f1599d70339b5e823f99954a https://github.com/gogs/gogs/pull/8327 https://github.com/gogs/gogs/releases/tag/v0.14.3 https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T20:27:41.410Z

Updated: 2026-06-24T20:27:41.410Z

Reserved: 2026-06-08T18:02:19.732Z

Link: CVE-2026-52808

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses

CWE-269
Improper Privilege Management
CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object