Main Vulnerability Database Vulnerabilities #VU128096

Use of GET Request Method With Sensitive Query Strings in gogs - CVE-2026-26196

Published: April 27, 2026

Vulnerability identifier: #VU128096

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-26196

CWE-ID: CWE-598

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to use of get request method with sensitive query strings in the API authentication logic when processing API requests with token or access_token URL parameters. A remote user can send a request with an access token in the query string to disclose sensitive information.

Exposed tokens may leak through logs, browser history, shell history, and referrer headers, and may be reused until revoked.

How to mitigate CVE-2026-26196

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc

Use of GET Request Method With Sensitive Query Strings in gogs - CVE-2026-26196

Detailed vulnerability description

How to mitigate CVE-2026-26196

Sources

Please verify you're human