CVE-2026-23632Missing Authorization in Gogs

CWE-862Missing AuthorizationCWE-863Incorrect Authorization5 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 95.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GogsGogs.io Gogs
Timeline
PublishedFeb 6
Latest updateFeb 17

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5gogs/gogs< 0.14.0+dev
NVDgogs/gogs< 0.13.4
Gogogs.io/gogs< 0.13.4

🔴Vulnerability Details

3
OSV
Gogs user can update repository content with read-only permission in gogs.io/gogs2026-02-17
OSV
Gogs user can update repository content with read-only permission2026-02-06
GHSA
Gogs user can update repository content with read-only permission2026-02-06

🕵️Threat Intelligence

1
Wiz
CVE-2026-23632 Impact, Exploitability, and Mitigation Steps | Wiz