Incorrect authorization in gogs - CVE-2026-52795
Published: June 19, 2026
Vulnerability identifier: #VU134892
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-52795
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from private repositories.
The vulnerability exists due to incorrect authorization in the Watch API handler when handling watch requests for private repositories. A remote user can send a watch request for a private repository they cannot access to disclose sensitive information from private repositories.
If email notifications are enabled, issue and comment content may also be exposed through notification emails.
Note, the issue was reported in the development version of gogs 0.15.0+dev and therefore does not qualify for the vulnerability report and issuing a security bulletin.
How to mitigate CVE-2026-52795
The issue was reported in the development version of gogs 0.15.0+dev and
therefore does not qualify for the vulnerability report and issuing a
security bulletin.