CVE-2026-52799
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52799
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated users to download attachments from private repositories without proper permission checks, potentially exposing sensitive or confidential information.

Such unauthorized data exposure could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive data.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is that the GET /attachments/:uuid endpoint returns the raw attachment file without verifying if the requester has permission to view the associated Issue, Comment, Release, or repository.

In particular, if the configuration REQUIRE_SIGNIN_VIEW is set to false, an unauthenticated user can download attachments from private repositories without any access control checks.

This means unauthorized users can access potentially sensitive files that should be restricted.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored as attachments in private repositories.

Since unauthenticated users can download attachments without permission, confidential data could be exposed to attackers or unauthorized parties.

This could result in data breaches, loss of intellectual property, or exposure of private communications.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue is fixed.

Additionally, ensure that the configuration REQUIRE_SIGNIN_VIEW is set to true to prevent unauthenticated users from accessing attachments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart