4.3
CVE-2026-52795
- EPSS 0.17%
- Veröffentlicht 24.06.2026 20:06:15
- Zuletzt bearbeitet 25.06.2026 16:16:38
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellergogs
≫
Produkt
gogs
Version
<= 0.14.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.064 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2
https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0