CVE-2026-25232
Undergoing Analysis Undergoing Analysis - In Progress
Access Control Bypass in Gogs Allows Protected Branch Deletion

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. It is an access control bypass issue that allows any repository collaborator with Write permissions to delete protected branches, including the default branch, by sending a direct POST request. This bypasses the branch protection mechanism entirely.

The vulnerability exists because the web interface deletion operation does not trigger Git Hooks, which normally prevent protected branch deletion via SSH push. As a result, users with Write permissions can escalate their privileges to Admin level and perform dangerous operations that should be restricted to administrators.

To exploit this vulnerability, an attacker must have write permissions to the target repository, have protected branches configured, and access to the Gogs web interface. The issue was fixed in version 0.14.1.


How can this vulnerability impact me? :

This vulnerability can have serious impacts by allowing users with Write permissions to delete protected branches, including the default branch, which should normally be protected from such actions.

This privilege escalation from Write to Admin level means that low-privilege users can perform administrative operations, potentially disrupting development workflows, deleting critical code branches, and causing data loss or service interruptions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.1 or later, where the issue has been fixed.

Additionally, review repository collaborator permissions to ensure that only trusted users have Write access, as exploitation requires Write permissions.

Consider temporarily restricting Write permissions or disabling web interface branch deletion until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart