CVE-2026-25119
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-25119
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. When the ENABLE_REVERSE_PROXY_AUTHENTICATION setting is enabled, Gogs accepts an authentication header (default: X-WEBAUTH-USER) directly from client requests without verifying that the request actually comes from a trusted reverse proxy.

Because of this lack of validation, any remote attacker who can reach the Gogs service can forge this header to impersonate any user or even trigger automatic account creation, effectively bypassing authentication controls.

This security flaw is fixed in version 0.14.3.

Impact Analysis

This vulnerability allows an attacker to impersonate any user or create accounts automatically without proper authentication.

As a result, unauthorized users could gain access to sensitive repositories or data, potentially leading to data breaches, unauthorized code changes, or exposure of confidential information.

The complete bypass of authentication mechanisms undermines the security of the Gogs service and any projects hosted on it.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later where the issue is fixed.

Additionally, ensure that the ENABLE_REVERSE_PROXY_AUTHENTICATION setting is configured properly and that the authentication header (default: X-WEBAUTH-USER) is only accepted from trusted reverse proxies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart