CVE-2026-52815
published 2026-06-24CVE-2026-52815: Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET…
PriorityP350medium5.5CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.55%
72.0th percentile
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs.io | gogs | >= 0 < 0.14.3 | 0.14.3 |
| gogs | gogs | < 0.14.3 | 0.14.3 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure
nuclei·CVSS 5.5
CVE-2026-52815 [MEDIUM] Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure
Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure
Gogs before version 0.14.3 contains an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication. The route group lacks the reqToken() middleware, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller.
Template:
id: CVE-2026-52815
info:
name: Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure
author: 0x_Akoko
severity: low
description: |
Gogs before version 0.14.3 contains an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication. The route group lacks
No writeups or analysis indexed.
2026-06-24
Published