CVE-2026-26196 — Use of GET Request Method With Sensitive Query Strings in Gogs

CWE-598 — Use of GET Request Method With Sensitive Query Strings21 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 87.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs Gogs.io Gogs

Timeline

PublishedMar 5

Latest updateMar 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.2

▶Gogogs.io/gogs0.13.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs: Access tokens get exposed through URL params in API requests in gogs.io/gogs↗2026-03-10

▶

OSV

Gogs: Access tokens get exposed through URL params in API requests↗2026-03-05

▶

GHSA

Gogs: Access tokens get exposed through URL params in API requests↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶