CVE-2026-25232

Exploit

EPSS 0.44%
Veröffentlicht 19.02.2026 02:25:34
Zuletzt bearbeitet 19.02.2026 19:44:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Gogs has a Protected Branch Deletion Bypass in Web Interface

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gogs ≫ Gogs Version < 0.14.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.347

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p

Vendor Advisory

Exploit

https://github.com/gogs/gogs/pull/8124

Issue Tracking

https://github.com/gogs/gogs/commit/7b7e38c88007a7c482dbf31efff896185fd9b79c

Patch

https://github.com/gogs/gogs/releases/tag/v0.14.1

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-25232

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25232

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25232

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25232