CVE-2026-52815
Received Received - Intake
Information Disclosure in Gogs Prior to 0.14.3

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is an unauthenticated information disclosure where the API endpoint GET /api/v1/orgs/:orgname/teams returns all teams for any organization without requiring authentication.

The problem arises because the route group handling this endpoint lacks the required authentication middleware (reqToken()), and the handler function listTeams() does not perform any authentication checks. As a result, anyone can access team IDs, names, descriptions, and permission levels without logging in.

This vulnerability was fixed in version 0.14.3 of Gogs.

Compliance Impact

The vulnerability allows unauthenticated information disclosure of team details such as IDs, names, descriptions, and permission levels in Gogs prior to version 0.14.3.

Such unauthorized exposure of organizational information could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require protection of sensitive information and control over access.

However, the provided context does not explicitly state the impact on compliance with these standards.

Impact Analysis

This vulnerability can impact you by exposing sensitive organizational information without any authentication. Specifically, an attacker or unauthorized user can retrieve details about all teams within any organization hosted on the vulnerable Gogs instance.

  • Exposure of team IDs, which could be used to target specific teams.
  • Disclosure of team names and descriptions, potentially revealing internal structure or sensitive project information.
  • Exposure of permission levels, which could aid attackers in understanding access controls and planning further attacks.

Overall, this information disclosure could facilitate social engineering, reconnaissance, or targeted attacks against the organization.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint without authentication and observing if team information is disclosed.

  • Send an unauthenticated GET request to the endpoint /api/v1/orgs/:orgname/teams on your Gogs instance.
  • Example command using curl: curl -X GET http://<gogs-server>/api/v1/orgs/<orgname>/teams
  • If the response contains team IDs, names, descriptions, and permission levels without requiring authentication, the system is vulnerable.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Gogs to version 0.14.3 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart