Authentication Bypass by Spoofing in gogs - CVE-2026-25119
Published: June 19, 2026
Vulnerability identifier: #VU134912
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-25119
CWE-ID: CWE-290
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gogs.io
Affected software:
gogs
gogs
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and impersonate arbitrary users.
The vulnerability exists due to authentication bypass by spoofing in the authenticatedUser function in internal/context/auth.go when handling reverse proxy authentication headers from incoming HTTP requests. A remote attacker can send a specially crafted request with a forged authentication header to bypass authentication and impersonate arbitrary users.
Only instances with reverse proxy authentication enabled are vulnerable. If automatic reverse proxy user registration is enabled, exploitation can also create a new activated account.
How to mitigate CVE-2026-25119
Install security update from vendor's website.