CVE-2025-65852Improper Access Control in Gogs

CWE-284Improper Access Control4 documents3 sources
Severity
MEDIUM
No vector
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gogs.io Gogs
Timeline
PublishedFeb 6
Latest updateFeb 17

Description

Gogs has authorization bypass in repository deletion API ### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin(). ### Details 0. vulnerability

Affected Packages1 packages

Gogogs.io/gogs< 0.13.4

🔴Vulnerability Details

3
OSV
Gogs has authorization bypass in repository deletion API in gogs.io/gogs2026-02-17
OSV
Gogs has authorization bypass in repository deletion API2026-02-06
GHSA
Gogs has authorization bypass in repository deletion API2026-02-06

🕵️Threat Intelligence

1
Wiz
CVE-2025-65852 Impact, Exploitability, and Mitigation Steps | Wiz