Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs stores Git Large File Storage objects by their OID alone and does not associate the file path with the owning repository. When a file with the same OID already exists on disk, the upload logic creates a new (repo_id, oid) mapping without verifying that the uploaded data matches the claimed OID. Any user who has write access to a repository can therefore bind that repository to another repository’s private LFS object and download the original private content through their own download endpoint. This results in an information disclosure as described by CWE‑345, enabled by improper privilege checks (CWE‑639) and missing authorization controls (CWE‑862).

Affected Systems

Affected vendor: Gogs, product: self‑hosted Git service. The vulnerability exists in all releases prior to 0.14.3; a fixed version is available as v0.14.3 and later.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote via the Gogs web interface, requiring the attacker to possess write permissions on a repository within the same instance. No elevated system privileges are needed. Once the attacker binds a private LFS OID to their own repo, they can retrieve the private content, leading to a confidentiality compromise for multi‑tenant or shared deployments.

Generated by OpenCVE AI on June 25, 2026 at 00:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or newer to eliminate the flaw.
  • Restrict write permissions on repositories to trusted users only, limiting the ability of an attacker to bind an LFS OID to a private file.
  • Monitor LFS download activity for anomalous access patterns across repositories to detect potential abuse.

Generated by OpenCVE AI on June 25, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6p9m-q3jp-47h4 Gogs: LFS dedupe path leaks private repo content across tenants
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.
Title Gogs: LFS dedupe path leaks private repo content across tenants
Weaknesses CWE-345
CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:32:51.608Z

Reserved: 2026-06-08T18:11:06.660Z

Link: CVE-2026-52812

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-862

    Missing Authorization