CVE-2026-25119
Deferred Deferred - Pending Action

Authentication Bypass in Gogs via Reverse Proxy Header

Vulnerability report for CVE-2026-25119, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. When the ENABLE_REVERSE_PROXY_AUTHENTICATION setting is enabled, Gogs accepts an authentication header (default: X-WEBAUTH-USER) directly from client requests without verifying that the request actually comes from a trusted reverse proxy.

Because of this lack of validation, any remote attacker who can reach the Gogs service can forge this header to impersonate any user or even trigger automatic account creation, effectively bypassing authentication controls.

This security flaw is fixed in version 0.14.3.

Impact Analysis

This vulnerability allows an attacker to impersonate any user or create accounts automatically without proper authentication.

As a result, unauthorized users could gain access to sensitive repositories or data, potentially leading to data breaches, unauthorized code changes, or exposure of confidential information.

The complete bypass of authentication mechanisms undermines the security of the Gogs service and any projects hosted on it.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later where the issue is fixed.

Additionally, ensure that the ENABLE_REVERSE_PROXY_AUTHENTICATION setting is configured properly and that the authentication header (default: X-WEBAUTH-USER) is only accepted from trusted reverse proxies.

Compliance Impact

This vulnerability allows remote attackers to bypass authentication by forging reverse proxy authentication headers, potentially impersonating any user or triggering automatic account creation without validation.

Such unauthorized access and impersonation can lead to unauthorized data access or modification, which may violate security and privacy requirements mandated by regulations like GDPR and HIPAA.

Specifically, failure to properly authenticate users and protect sensitive data could result in non-compliance with these standards' requirements for access control, data integrity, and confidentiality.

Detection Guidance

This vulnerability can be detected by checking if your Gogs service is accessible directly without proper reverse proxy validation and if the ENABLE_REVERSE_PROXY_AUTHENTICATION setting is enabled without restricting trusted proxy IPs.

You can test for the vulnerability by attempting to send a crafted HTTP request with a spoofed authentication header (default: X-WEBAUTH-USER) directly to the Gogs service from an untrusted IP address and observing if authentication is bypassed.

Example commands to detect this issue include using curl to send a forged header to the Gogs server:

  • curl -H "X-WEBAUTH-USER: someuser" http://<gogs-server>:<port>/
  • If the response indicates that the user 'someuser' is authenticated or an account is created without proper login, the system is vulnerable.

Additionally, verify your Gogs configuration for the presence and proper setting of TRUSTED_PROXY_IPS to ensure only trusted proxies are allowed to send authentication headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart