CVE-2026-52800
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. It allows organization team member management actions to be performed via GET requests without Cross-Site Request Forgery (CSRF) protection. If an organization owner who is logged in is tricked into visiting a specially crafted link, an attacker can add themselves or another user to the Owners team. This effectively grants the attacker organization owner–equivalent privileges.

Impact Analysis

The impact of this vulnerability is severe because an attacker can gain organization owner–equivalent privileges without proper authorization. This means the attacker can fully control the organization, including managing repositories, users, and settings. Such unauthorized access can lead to data breaches, unauthorized code changes, and disruption of organizational workflows.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue is fixed.

Additionally, avoid clicking on untrusted or suspicious links while logged in as an organization owner to reduce the risk of CSRF attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart