CVE-2026-25120
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass in Gogs DeleteComment API Allows Comment Deletion

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25120
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. The issue is that the DeleteComment API does not verify whether a comment actually belongs to the repository specified in the URL. As a result, a repository administrator can delete comments from any other repository by providing arbitrary comment IDs, effectively bypassing authorization controls.

The root cause is that the DeleteComment function retrieves comments by ID without checking repository ownership, and the underlying database function DeleteCommentByID does not perform any repository validation. This flaw was fixed in version 0.14.0.

Impact Analysis

This vulnerability allows a repository administrator to delete comments from any repository, not just the ones they manage. This can lead to unauthorized deletion of comments, potentially disrupting collaboration, removing important discussions or audit trails, and undermining trust in the integrity of repository data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.0 or later, where the issue has been fixed.

Since the vulnerability allows repository administrators to delete comments from any repository by bypassing authorization, limiting repository administrator privileges and monitoring comment deletion activities may help reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart