CVE-2026-23632
published 2026-02-06CVE-2026-23632: Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.28%
19.9th percentile
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.13.4 | 0.13.4 |
| gogs | gogs | < 0.14.0+dev | 0.14.0+dev |
| gogs | gogs | < 0.13.4 | 0.13.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gogs user can update repository content with read-only permission in gogs.io/gogs
osv·2026-02-17
CVE-2026-23632 Gogs user can update repository content with read-only permission in gogs.io/gogs
Gogs user can update repository content with read-only permission in gogs.io/gogs
Gogs user can update repository content with read-only permission in gogs.io/gogs.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: gogs.io/gogs before v0.13.4.
OSV
Gogs user can update repository content with read-only permission
osv·2026-02-06
CVE-2026-23632 [MEDIUM] Gogs user can update repository content with read-only permission
Gogs user can update repository content with read-only permission
## Vulnerability Description
The endpoint
`PUT /repos/:owner/:repo/contents/*`
does not require write permissions and allows access with **read permission only** via `repoAssignment()`.
After passing the permission check, `PutContents()` invokes `UpdateRepoFile()`, which results in:
* Commit creation
* Execution of `git push`
As a result, a token with **read-only permission** can be used to modify repository contents.
---
## Attack Prerequisites
* Possession of a valid access token
* Read permission on the target repository
(public repository or collaborator with read access)
---
## Attack Scenario
1. The attacker accesses the target repository with a read-only token
2. The attacker sends a `PUT /contents` request
GHSA
Gogs user can update repository content with read-only permission
ghsa·2026-02-06
CVE-2026-23632 [MEDIUM] CWE-862 Gogs user can update repository content with read-only permission
Gogs user can update repository content with read-only permission
## Vulnerability Description
The endpoint
`PUT /repos/:owner/:repo/contents/*`
does not require write permissions and allows access with **read permission only** via `repoAssignment()`.
After passing the permission check, `PutContents()` invokes `UpdateRepoFile()`, which results in:
* Commit creation
* Execution of `git push`
As a result, a token with **read-only permission** can be used to modify repository contents.
---
## Attack Prerequisites
* Possession of a valid access token
* Read permission on the target repository
(public repository or collaborator with read access)
---
## Attack Scenario
1. The attacker accesses the target repository with a read-only token
2. The attacker sends a `PUT /contents` request
No detection rules found.
No public exploits indexed.
2026-02-06
Published