Executive Summary

CVE-2026-25229 is a broken access control vulnerability in Gogs, an open source self-hosted Git service. In versions 0.13.4 and below, authenticated users with write access to one repository can modify labels belonging to other repositories. This happens because the UpdateLabel function in the Web UI does not verify that the label being modified actually belongs to the repository specified in the URL path. Specifically, the function calls a database query that ignores repository ownership, allowing cross-repository label tampering attacks.

The vulnerability exists in the POST /:username/:reponame/labels/edit endpoint, where the handler uses an incorrect database query that bypasses repository ownership validation. This flaw enables an attacker to alter labels in repositories they do not have permission to modify.

This issue was fixed in Gogs version 0.14.1 by ensuring that label ownership is properly validated before allowing updates.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with write access to one repository to modify labels in other repositories without authorization. The impacts include:

• Disruption of project management by changing critical labels such as priority or status.
• Concealment of security issues by altering security-related labels, potentially hiding vulnerabilities or incidents.
• Sabotage of CI/CD workflows that rely on labels for automation, causing build or deployment failures.
• Mass disruption by enumerating and modifying labels across multiple repositories, affecting many projects.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of labels across repositories by authenticated users with write access to any repository. Detection involves monitoring for suspicious POST requests to the Web UI label update endpoint that modify labels belonging to repositories other than the one in the URL path.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for POST requests to the endpoint pattern: POST /:username/:reponame/labels/edit where the label ID being modified does not belong to the repository in the URL.'}, {'type': 'paragraph', 'content': 'Commands to detect such activity could include inspecting web server logs or proxy logs for unusual label edit requests, for example using grep or similar tools:'}, {'type': 'list_item', 'content': "grep -i 'POST /.*labels/edit' /path/to/gogs/access.log"}, {'type': 'list_item', 'content': 'Analyze the POST data payloads for label IDs that do not belong to the repository specified in the URL path.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected changes in labels across repositories by comparing label metadata before and after updates can help detect exploitation.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Gogs to version 0.14.1 or later, where this vulnerability has been fixed by properly validating label ownership in the UpdateLabel function.

If immediate upgrade is not possible, restrict write access permissions carefully to trusted users only, as the vulnerability requires authenticated users with write access.

Monitor and audit label modification activities closely to detect any unauthorized cross-repository label changes.

Consider applying custom access control checks or patches that enforce repository ownership validation on label updates until the official fix can be applied.

Useful 0 Not Useful 0