CVE-2026-52795
Deferred Deferred - Pending Action

Authenticated User Privilege Escalation in Gogs via Watch API

Vulnerability report for CVE-2026-52795, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in version 0.14.3 and earlier. It allows any authenticated user to watch a private repository they do not have access to because of an inverted access check in the Watch API handler.

Specifically, the code incorrectly checks if the user can read the repository by using repoCtx.ViewerCanRead(), which returns a 404 error when the user can read, instead of checking if the user cannot read (!repoCtx.ViewerCanRead()) to return the 404 error. This logic flaw lets unauthorized users watch private repositories.

Once watching the private repository, the attacker’s dashboard activity feed displays sensitive information such as commit messages, branch names, issue titles, and pull request details from that private repository. Additionally, if email notifications are enabled, the attacker receives emails containing issue and comment content.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information from private repositories. An attacker who exploits this flaw can view commit messages, branch names, issue titles, and pull request details that should be restricted.

Moreover, if email notifications are enabled, the attacker can receive emails containing issue and comment content, further exposing confidential data.

This exposure can compromise the confidentiality of proprietary or sensitive project information, potentially leading to information leakage, intellectual property theft, or other security risks.

Compliance Impact

This vulnerability allows any authenticated user to watch private repositories they do not have access to, exposing sensitive internal development data such as commit messages, branch names, issue titles, pull request details, and potentially email notifications containing issue and comment content.

Such unauthorized exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of confidential data.

Organizations using Gogs for proprietary or sensitive development may risk violating these standards due to the leakage of private repository information to unauthorized users.

Detection Guidance

This vulnerability can be detected by attempting to watch private repositories via the Gogs Watch API using an authenticated user account that does not have read access to those repositories.

A practical approach is to use API calls or commands to watch private repositories and observe if the system incorrectly allows this action.

  • Use curl or similar tools to send a watch request to the Gogs API endpoint for a private repository you do not have access to.
  • Example command: curl -X POST -H "Authorization: token YOUR_AUTH_TOKEN" https://your-gogs-instance/api/v1/repos/owner/private-repo/watch
  • If the request succeeds and the user can watch the repository, the vulnerability is present.

Additionally, monitoring dashboard activity feeds or email notifications for unauthorized repository updates can indicate exploitation of this vulnerability.

Mitigation Strategies

The immediate mitigation step is to update Gogs to a version that includes the fix for this vulnerability, which corrects the inverted authorization check in the Watch API handler.

If an immediate update is not possible, restrict access to the Watch API or disable email notifications temporarily to reduce information leakage.

Review and audit user permissions to ensure that only authorized users have access to private repositories.

Apply the patch from commit d61caa3676fde060d0c03ccf815851dddc7c67e0 which fixes the authorization logic by negating the access check condition.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart