CVE-2026-52808
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints β€” PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync β€” are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync β€” none of which they are authorized to do. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52808
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs 0.14.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. The immediate step to mitigate this vulnerability is to upgrade your Gogs installation to version 0.14.3 or later.

This update ensures that the three affected API endpoints are properly gated by reqRepoAdmin(), preventing write-level collaborators from performing unauthorized actions.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. Three API endpoints (PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync) are incorrectly protected by a permission check that only requires write-level access (reqRepoWriter) instead of admin-level access (reqRepoAdmin).

As a result, a collaborator with write access (but not admin access) can perform actions they should not be authorized to do, such as disabling the native issue tracker or wiki, injecting attacker-controlled external URLs that redirect repository visitors, or triggering mirror synchronization.

This discrepancy arises because the equivalent operations in the web UI require admin-level permissions, but the API endpoints do not enforce the same level of access control.

Impact Analysis

This vulnerability can impact you by allowing a collaborator with write access to perform unauthorized administrative actions on your repository.

  • Disabling the native issue tracker or wiki, which could disrupt project management and documentation.
  • Injecting attacker-controlled external URLs for the issue tracker or wiki, potentially redirecting repository visitors to malicious sites.
  • Triggering mirror synchronization without proper authorization, which could lead to unintended data exposure or synchronization issues.

Overall, these unauthorized actions can compromise the integrity and security of your repository and its users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart