Executive Summary

CVE-2026-23632 is a vulnerability in the Gogs Git repository management system affecting versions up to 0.13.3. The issue is that the API endpoint PUT /repos/:owner/:repo/contents/* allows modification of repository contents without requiring write permissions. Instead, it only checks for read permissions via the repoAssignment() function. After this check, the system calls PutContents(), which triggers UpdateRepoFile(), resulting in a commit creation and a git push operation. This means an attacker with a token that has only read access can modify files in the repository.

The attack requires possession of a valid access token with read permission on the target repository, which could be a public repository or one where the attacker is a collaborator with read access. The attacker can send a PUT request to update arbitrary files, leading to unauthorized commits and pushes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts including unauthorized modification of source code, injection of backdoors, and compromise of release artifacts or distributed packages. Because an attacker with only read permissions can push changes, the integrity of the repository is at high risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Gogs instance is running a vulnerable version (0.13.3 or earlier) and by testing whether the API endpoint PUT /repos/:owner/:repo/contents/* allows modification of repository contents using a token with read-only permissions.'}, {'type': 'paragraph', 'content': 'One way to detect this is to attempt a PUT request to the endpoint with a read-only token and observe if the repository content is modified or a commit is created.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -X PUT -H "Authorization: token <read-only-token>" -d \'{"content":"<base64-encoded-content>", "message":"test commit"}\' https://<gogs-instance>/api/v1/repos/<owner>/<repo>/contents/<file-path>'}, {'type': 'paragraph', 'content': 'If the request succeeds in modifying the repository content or creating a commit, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade your Gogs installation to version 0.13.4 or later, where this vulnerability has been patched.

Additionally, review and restrict the permissions of access tokens to ensure that tokens with read-only permissions cannot be used to modify repository contents.

If upgrading immediately is not possible, consider restricting network access to the vulnerable API endpoint or disabling the affected functionality temporarily.

Useful 0 Not Useful 0