CVE-2026-25232Incorrect Authorization in Gogs

CWE-863Incorrect Authorization5 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 86.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gogs.io GogsGogs
Timeline
PublishedFeb 19
Latest updateFeb 23

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDgogs/gogs< 0.14.1
Gogogs.io/gogs< 0.14.1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Gogs has a Protected Branch Deletion Bypass in Web Interface in gogs.io/gogs2026-02-23
OSV
Gogs has a Protected Branch Deletion Bypass in Web Interface2026-02-17
GHSA
Gogs has a Protected Branch Deletion Bypass in Web Interface2026-02-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-25232 Impact, Exploitability, and Mitigation Steps | Wiz