CVE-2026-52808
Deferred Deferred - Pending Action

Privilege Escalation in Gogs via API Misconfiguration

Vulnerability report for CVE-2026-52808, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints β€” PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync β€” are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync β€” none of which they are authorized to do. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs 0.14.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. The immediate step to mitigate this vulnerability is to upgrade your Gogs installation to version 0.14.3 or later.

This update ensures that the three affected API endpoints are properly gated by reqRepoAdmin(), preventing write-level collaborators from performing unauthorized actions.

Detection Guidance

This vulnerability involves unauthorized access to specific Gogs API endpoints by write-level collaborators. To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the following API endpoints:

  • PATCH /api/v1/repos/:owner/:repo/issue-tracker
  • PATCH /api/v1/repos/:owner/:repo/wiki
  • POST /api/v1/repos/:owner/:repo/mirror-sync

You can use network monitoring tools or web server logs to identify requests to these endpoints made by users with write-level access but without admin privileges.

Example commands to search for such requests in web server logs (assuming logs are in common log format):

  • grep -E 'PATCH /api/v1/repos/.+/issue-tracker' /var/log/gogs/access.log
  • grep -E 'PATCH /api/v1/repos/.+/wiki' /var/log/gogs/access.log
  • grep -E 'POST /api/v1/repos/.+/mirror-sync' /var/log/gogs/access.log

Additionally, correlate these requests with user roles to identify if any write-level collaborators are making these calls, which should be restricted to admins only.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. Three API endpoints (PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync) are incorrectly protected by a permission check that only requires write-level access (reqRepoWriter) instead of admin-level access (reqRepoAdmin).

As a result, a collaborator with write access (but not admin access) can perform actions they should not be authorized to do, such as disabling the native issue tracker or wiki, injecting attacker-controlled external URLs that redirect repository visitors, or triggering mirror synchronization.

This discrepancy arises because the equivalent operations in the web UI require admin-level permissions, but the API endpoints do not enforce the same level of access control.

Impact Analysis

This vulnerability can impact you by allowing a collaborator with write access to perform unauthorized administrative actions on your repository.

  • Disabling the native issue tracker or wiki, which could disrupt project management and documentation.
  • Injecting attacker-controlled external URLs for the issue tracker or wiki, potentially redirecting repository visitors to malicious sites.
  • Triggering mirror synchronization without proper authorization, which could lead to unintended data exposure or synchronization issues.

Overall, these unauthorized actions can compromise the integrity and security of your repository and its users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart