CVE-2026-52809
Received Received - Intake
Password Reset Token Lifetime Misconfiguration in Gogs

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52809
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
CWE-324 The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is that password-reset tokens are generated using the account-activation token lifetime setting (conf.Auth.ActivateCodeLives) instead of the intended password-reset token lifetime setting (conf.Auth.ResetPasswordCodeLives). Because the token lifetime is embedded in the token at creation and checked during verification, the configured shorter reset token lifetime is ignored. As a result, reset tokens remain valid for the longer activation lifetime, even if the administrator configures a shorter reset window for security or compliance reasons. This means the reset tokens can be exploited for longer than intended, while the reset email incorrectly states a shorter expiry time.

Impact Analysis

This vulnerability can impact you by allowing password-reset tokens to remain valid for a longer period than intended, potentially exposing user accounts to unauthorized access. Even if administrators set a short expiration time for reset tokens to enhance security, the tokens will actually be valid for the longer account-activation lifetime. This discrepancy can lead to exploitation where attackers use expired tokens that should have been invalidated, increasing the risk of account compromise.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue with password-reset token lifetime enforcement is fixed.

Ensure that the configuration for password-reset token lifetime (conf.Auth.ResetPasswordCodeLives) is properly enforced after the upgrade.

Compliance Impact

This vulnerability causes password-reset tokens to remain valid for a longer period than intended when administrators configure a shorter reset window for compliance or security reasons. As a result, reset tokens can be exploited for the full activation lifetime instead of the shorter reset lifetime advertised in reset emails.

Because the reset token lifetime enforcement does not align with configured policies, this could undermine compliance efforts with standards and regulations such as GDPR or HIPAA that require strict control over authentication and password reset mechanisms to protect user data and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart