Main Vulnerability Database Vulnerabilities #VU128093

Improper access control in gogs - CVE-2026-25229

Published: April 27, 2026

Vulnerability identifier: #VU128093

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25229

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to modify labels belonging to other repositories.

The vulnerability exists due to improper access control in the UpdateLabel function in the Web UI label update endpoint when handling label edit requests. A remote user can send a specially crafted request with the ID of a label from another repository to modify labels belonging to other repositories.

Only the Web UI endpoint POST /:username/:reponame/labels/edit is affected; the API EditLabel, NewLabel, and DeleteLabel paths use repository-scoped label operations.

How to mitigate CVE-2026-25229

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh

Improper access control in gogs - CVE-2026-25229

Detailed vulnerability description

How to mitigate CVE-2026-25229

Sources

Please verify you're human