Insufficient verification of data authenticity in gogs - CVE-2026-52812
Published: June 19, 2026
Vulnerability identifier: #VU134896
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-52812
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information from private repositories across tenants.
The vulnerability exists due to insufficient verification of data authenticity in the Git LFS upload and download handling when processing an upload for an existing object identifier. A remote user can upload arbitrary bytes while claiming a known object identifier to disclose sensitive information from a private repository through their own repository's download endpoint.
Exploitation requires write access to one repository, Git LFS to be enabled, and knowledge of a target object identifier already present on the instance.
How to mitigate CVE-2026-52812
Install security update from vendor's website.