Main Vulnerability Database Vulnerabilities #VU134901

Incorrect authorization in gogs - CVE-2026-52808

Published: June 19, 2026

Vulnerability identifier: #VU134901

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-52808

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: gogs.io

Affected software:
gogs

Detailed vulnerability description

The vulnerability allows a remote user to modify repository settings and trigger mirror synchronization.

The vulnerability exists due to incorrect authorization in the repository settings API endpoints when handling authenticated API requests to update issue tracker settings, wiki settings, or mirror synchronization. A remote user can send crafted API requests to modify repository settings and trigger mirror synchronization.

The issue affects write-level collaborators who can access admin-equivalent endpoints for issue tracker, wiki, and mirror settings without repository admin privileges.

How to mitigate CVE-2026-52808

Install security update from vendor's website.

Sources

https://github.com/gogs/gogs/security/advisories/GHSA-268j-37xf-pp52

Incorrect authorization in gogs - CVE-2026-52808

Detailed vulnerability description

How to mitigate CVE-2026-52808

Sources

Please verify you're human