CVE-2026-47267
Deferred Deferred - Pending Action

SSRF via Webhook Redirect in Gogs

Vulnerability report for CVE-2026-47267, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability in Gogs prior to version 0.14.3 allows webhooks to follow redirects to hostnames inside local CIDRs, potentially exposing internal network resources.

To mitigate this vulnerability immediately, upgrade Gogs to version 0.14.3 or later where this issue is fixed.

Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service. Before version 0.14.3, although a fix was applied to prevent adding or running webhooks with URLs that resolve to local CIDR addresses, webhooks could still follow redirects to hostnames inside local CIDRs. This means an attacker could exploit webhook redirects to access internal network resources.

Impact Analysis

The vulnerability can allow an attacker to bypass restrictions on webhook URLs and access internal network resources by exploiting redirects. This can lead to unauthorized access to sensitive internal systems or data, potentially compromising confidentiality, integrity, and availability.

Compliance Impact

The CVE-2026-47267 vulnerability is a Server Side Request Forgery (SSRF) issue that allows unauthorized access to internal services by following redirects in webhook URLs. This could potentially lead to unauthorized access or exposure of sensitive internal data.

Such unauthorized access or data exposure could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access. However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Detection Guidance

This vulnerability is a Server Side Request Forgery (SSRF) in the Gogs webhook delivery system, where webhooks follow HTTP redirects to local or internal IP addresses. To detect exploitation attempts or the presence of this vulnerability on your system or network, you can monitor webhook requests and their redirect behavior.

Suggested detection methods include:

  • Inspect Gogs webhook configurations for URLs that may redirect to local CIDRs or internal IP addresses (e.g., 169.254.169.254).
  • Monitor outgoing HTTP requests from the Gogs server, especially webhook delivery requests, to detect if they follow redirects to internal IP ranges.
  • Use network monitoring tools or packet capture (e.g., tcpdump or Wireshark) on the Gogs server to observe HTTP traffic and identify requests to internal IP addresses triggered by webhook deliveries.
  • Check Gogs server logs for webhook delivery attempts and any unusual redirect responses.

Example commands to assist detection:

  • Use tcpdump to capture HTTP traffic from the Gogs server: sudo tcpdump -i <interface> -nn -s 0 -A 'tcp port 80 or tcp port 443'
  • Search Gogs webhook configuration files or database entries for suspicious URLs: grep -r 'http' /path/to/gogs/data or query the database for webhook URLs.
  • Use curl with verbose output to test webhook URLs and observe redirects: curl -v <webhook_url>

Since the vulnerability involves following redirects to local CIDRs, detecting unexpected redirects or webhook URLs that resolve to internal IPs is key.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart