CVE-2026-52795
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52795
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in version 0.14.3 and earlier. It allows any authenticated user to watch a private repository they do not have access to because of an inverted access check in the Watch API handler.

Specifically, the code incorrectly checks if the user can read the repository by using repoCtx.ViewerCanRead(), which returns a 404 error when the user can read, instead of checking if the user cannot read (!repoCtx.ViewerCanRead()) to return the 404 error. This logic flaw lets unauthorized users watch private repositories.

Once watching the private repository, the attacker’s dashboard activity feed displays sensitive information such as commit messages, branch names, issue titles, and pull request details from that private repository. Additionally, if email notifications are enabled, the attacker receives emails containing issue and comment content.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information from private repositories. An attacker who exploits this flaw can view commit messages, branch names, issue titles, and pull request details that should be restricted.

Moreover, if email notifications are enabled, the attacker can receive emails containing issue and comment content, further exposing confidential data.

This exposure can compromise the confidentiality of proprietary or sensitive project information, potentially leading to information leakage, intellectual property theft, or other security risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart