Main Vulnerability Database Vulnerabilities #VU128091

Incorrect authorization in gogs - CVE-2026-25232

Published: April 27, 2026

Vulnerability identifier: #VU128091

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25232

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to bypass branch protection and delete protected branches.

The vulnerability exists due to improper access control in the DeleteBranchPost function in the web interface when handling direct POST requests to branch deletion endpoints. A remote user can send a specially crafted POST request to bypass branch protection and delete protected branches.

The issue affects repository collaborators with Write permissions and can also be used to delete the default branch because the web deletion path does not trigger the Git Hook layer checks.

How to mitigate CVE-2026-25232

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p

Incorrect authorization in gogs - CVE-2026-25232

Detailed vulnerability description

How to mitigate CVE-2026-25232

Sources

Please verify you're human