SB2026020959 - Multiple vulnerabilities in gogs

Security Bulletin ID SB2026020959

CSH Severity

High

Patch available

YES

Number of vulnerabilities 12

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 12 vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2025-64111)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in repository put contents API. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Path traversal (CVE-ID: CVE-2026-23633)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in Git hook editing. A remote administrator can send a specially crafted HTTP request and read/write arbitrary files on the system.

3) Missing Authorization (CVE-ID: CVE-2026-23632)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authorization in the "PUT /repos/:owner/:repo/contents/*" endpoint. A remote user can modify repository contents.

4) Path traversal (CVE-ID: CVE-2026-24135)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the "updateWikiPage" function. A remote user can send a specially crafted HTTP request and delete arbitrary files on the system.

5) Missing Authorization (CVE-ID: CVE-2026-22592)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing authorization in repository mirror sync. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

6) Improper access control (CVE-ID: CVE-2025-65852)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in repository deletion API. A remote user can bypass implemented security restrictions and delete the entire repository.

7) Improper Authentication (CVE-ID: CVE-2025-64175)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests within the "UseRecoveryCode" function. A remote attacker can bypass authentication process and gain unauthorized access to the application.

8) Incorrect authorization (CVE-ID: CVE-2026-25232)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to bypass branch protection and delete protected branches.

The vulnerability exists due to improper access control in the DeleteBranchPost function in the web interface when handling direct POST requests to branch deletion endpoints. A remote user can send a specially crafted POST request to bypass branch protection and delete protected branches.

The issue affects repository collaborators with Write permissions and can also be used to delete the default branch because the web deletion path does not trigger the Git Hook layer checks.

9) Improper access control (CVE-ID: CVE-2026-25242)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to upload arbitrary files to the server.

The vulnerability exists due to improper access control in /issues/attachments and /releases/attachments endpoints when handling attachment upload requests with RequireSigninView disabled. A remote attacker can send a specially crafted upload request to upload arbitrary files to the server.

CSRF protection does not prevent exploitation because a valid token can be obtained anonymously from the site.

10) Improper access control (CVE-ID: CVE-2026-25229)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify labels belonging to other repositories.

The vulnerability exists due to improper access control in the UpdateLabel function in the Web UI label update endpoint when handling label edit requests. A remote user can send a specially crafted request with the ID of a label from another repository to modify labels belonging to other repositories.

Only the Web UI endpoint POST /:username/:reponame/labels/edit is affected; the API EditLabel, NewLabel, and DeleteLabel paths use repository-scoped label operations.

11) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25120)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to delete comments from other repositories.

The vulnerability exists due to authorization bypass through user-controlled key in the DeleteComment endpoint when handling comment deletion requests with user-supplied comment IDs. A remote user can send a specially crafted request with an arbitrary comment ID to delete comments from other repositories.

Exploitation requires administrative access to a repository and knowledge of a target comment ID from another repository.

12) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to path traversal in the POST /:user/:repo/_preview/:branch/:path_to_file endpoint when processing a user-controlled path passed to the git diff command. A remote user can supply a crafted path using the --output option to overwrite critical files and cause a denial of service.

The issue requires an authorized user account and can be used to overwrite files such as the database or configuration file.

Remediation

Install update from vendor's website.

SB2026020959 - Multiple vulnerabilities in gogs

Breakdown by Severity

Description

Remediation

References

Please verify you're human