CVE-2026-52799
Deferred Deferred - Pending Action

Unauthenticated Attachment Download in Gogs

Vulnerability report for CVE-2026-52799, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to access the attachment download endpoint without authentication using a valid UUID. If the system returns the raw attachment file without requiring authentication or permission checks, it indicates the presence of the vulnerability.

A simple way to test this is by sending an HTTP GET request to the endpoint /attachments/:uuid with a known UUID of an attachment in a private repository and observing if the file is returned.

Example command using curl:

  • curl -v http://<gogs-server>/attachments/<uuid>

If the response contains the attachment file without requiring authentication, the system is vulnerable. Replace <gogs-server> with your server address and <uuid> with an actual attachment UUID.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is that the GET /attachments/:uuid endpoint returns the raw attachment file without verifying if the requester has permission to view the associated Issue, Comment, Release, or repository.

In particular, if the configuration REQUIRE_SIGNIN_VIEW is set to false, an unauthenticated user can download attachments from private repositories without any access control checks.

This means unauthorized users can access potentially sensitive files that should be restricted.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored as attachments in private repositories.

Since unauthenticated users can download attachments without permission, confidential data could be exposed to attackers or unauthorized parties.

This could result in data breaches, loss of intellectual property, or exposure of private communications.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue is fixed.

Additionally, ensure that the configuration REQUIRE_SIGNIN_VIEW is set to true to prevent unauthenticated users from accessing attachments.

Compliance Impact

This vulnerability allows unauthenticated users to download attachments from private repositories without proper permission checks, potentially exposing sensitive or confidential information.

Such unauthorized data exposure could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart