CVE-2026-22592
Denial of Service in Gogs via Repo File Deletion
Publication date: 2026-02-06
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22592 is a Denial of Service (DoS) vulnerability in the Gogs Git service, specifically in its repository mirror synchronization feature.
The issue occurs when an authenticated user triggers a mirror synchronization on a repository that has had one or more files deleted before synchronization. If the repository no longer exists, the function responsible for retrieving the mirror record returns an error and a nil pointer. However, the error handling code incorrectly tries to access this nil pointer, causing the application to crash.
This crash results in a denial of service, making the server unavailable. The vulnerability affects Gogs versions up to and including 0.13.3 and has been fixed in versions 0.13.4 and later.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to cause the Gogs server to crash during repository mirror synchronization, resulting in a denial of service.
The impact is that the availability of the Git service is disrupted, potentially preventing users from accessing repositories or performing Git operations until the server is restarted or patched.
The severity is rated as moderate with a CVSS v3 base score of 6.5, indicating a significant impact on service availability but no direct impact on confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service symptoms in the Gogs service, especially during repository mirror synchronization operations.
Specifically, detection involves checking if the Gogs server crashes when an authenticated user triggers a mirror synchronization on a repository that has had files deleted or the repository itself has been deleted.
A practical approach is to simulate or monitor mirror synchronization requests to the endpoint `/superuser/gobypass403/settings` and observe if the server crashes or logs null pointer dereference errors related to `GetMirrorByRepoID`.
While no explicit commands are provided, you can use network monitoring tools like curl or Python scripts to send POST requests to the mirror synchronization endpoint with appropriate authentication and CSRF tokens to test for the vulnerability.
- Example: Use curl or a script to send repeated POST requests to `/superuser/gobypass403/settings` to trigger mirror synchronization.
- Monitor Gogs server logs for errors or crashes related to null pointer dereferences in `mirror.go`.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Gogs to version 0.13.4 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict authenticated users' ability to trigger mirror synchronization on repositories, especially those that may have deleted files or have been deleted."}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit repository deletions and mirror synchronization activities to prevent exploitation.'}] [1]