CVE-2026-25232
Undergoing Analysis Undergoing Analysis - In Progress
Access Control Bypass in Gogs Allows Protected Branch Deletion

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25232
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. It is an access control bypass issue that allows any repository collaborator with Write permissions to delete protected branches, including the default branch, by sending a direct POST request. This bypasses the branch protection mechanism entirely.

The vulnerability exists because the web interface deletion operation does not trigger Git Hooks, which normally prevent protected branch deletion via SSH push. As a result, users with Write permissions can escalate their privileges to Admin level and perform dangerous operations that should be restricted to administrators.

To exploit this vulnerability, an attacker must have write permissions to the target repository, have protected branches configured, and access to the Gogs web interface. The issue was fixed in version 0.14.1.

Impact Analysis

This vulnerability can have serious impacts by allowing users with Write permissions to delete protected branches, including the default branch, which should normally be protected from such actions.

This privilege escalation from Write to Admin level means that low-privilege users can perform administrative operations, potentially disrupting development workflows, deleting critical code branches, and causing data loss or service interruptions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.1 or later, where the issue has been fixed.

Additionally, review repository collaborator permissions to ensure that only trusted users have Write access, as exploitation requires Write permissions.

Consider temporarily restricting Write permissions or disabling web interface branch deletion until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart