CVE-2026-25120Authorization Bypass Through User-Controlled Key in Gogs

CWE-639Authorization Bypass Through User-Controlled Key5 documents4 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 96.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gogs.io GogsGogs
Timeline
PublishedFeb 19
Latest updateFeb 23

Description

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository valida

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDgogs/gogs< 0.14.0
Gogogs.io/gogs< 0.14.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Gogs Allows Cross-Repository Comment Deletion via DeleteComment in gogs.io/gogs2026-02-23
OSV
Gogs Allows Cross-Repository Comment Deletion via DeleteComment2026-02-17
GHSA
Gogs Allows Cross-Repository Comment Deletion via DeleteComment2026-02-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-25120 Impact, Exploitability, and Mitigation Steps | Wiz