Gogs Git Service Vulnerability Allowing Unauthorized Access to Private Repositories
CVE-2026-52795

4.3MEDIUM

Key Information:

Vendor: Gogs
Status: Gogs
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-52795?

In versions 0.14.3 and earlier of Gogs, an improper access control vulnerability exists within the Watch API handler. Any authenticated user is able to watch private repositories to which they should not have access, due to an inverted access control check in the code. This flaw allows unauthorized users to view sensitive information such as commit messages, branch names, issue titles, and pull request details from private repositories. Furthermore, if email notifications are enabled, these unauthorized users can receive emails containing the contents of issues and comments, posing a significant privacy risk.

Affected Version(s)

gogs <= 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-v8w...

x_refsource_CONFIRM

https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52795 Data

JSON