CVE-2026-52800
Deferred Deferred - Pending Action

CSRF in Gogs Team Member Management

Vulnerability report for CVE-2026-52800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. It allows organization team member management actions to be performed via GET requests without Cross-Site Request Forgery (CSRF) protection. If an organization owner who is logged in is tricked into visiting a specially crafted link, an attacker can add themselves or another user to the Owners team. This effectively grants the attacker organization owner–equivalent privileges.

Impact Analysis

The impact of this vulnerability is severe because an attacker can gain organization owner–equivalent privileges without proper authorization. This means the attacker can fully control the organization, including managing repositories, users, and settings. Such unauthorized access can lead to data breaches, unauthorized code changes, and disruption of organizational workflows.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue is fixed.

Additionally, avoid clicking on untrusted or suspicious links while logged in as an organization owner to reduce the risk of CSRF attacks.

Compliance Impact

CVE-2026-52800 allows an attacker to gain organization owner–equivalent privileges by exploiting a CSRF vulnerability, which can lead to unauthorized access and control over repositories, settings, and members.

Such unauthorized access and control can result in breaches of confidentiality, integrity, and availability of data managed within the affected system.

This type of security breach could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized modifications.

Detection Guidance

This vulnerability involves organization team member management actions being performed via GET requests without CSRF protection. To detect exploitation attempts on your network or system, you can monitor HTTP GET requests targeting the organization team member management endpoints in Gogs versions prior to 0.14.3.

Specifically, look for GET requests that attempt to add users to the Owners team or perform other state-changing operations that should normally require POST requests.

For example, you can use network traffic analysis tools or web server logs to search for suspicious GET requests with URLs related to team member management.

A sample command using grep on web server logs might be:

  • grep -i 'GET' /path/to/gogs/access.log | grep 'org/team/member'

Replace 'org/team/member' with the actual URL path used by your Gogs instance for managing organization team members.

Additionally, monitoring for unusual GET requests that result in changes to organization membership or owner roles can help detect exploitation attempts.

Since the vulnerability is fixed by requiring POST requests for these actions, any GET request performing such actions is suspicious.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart