Permission Bypass in Gogs Self-Hosted Git Service
CVE-2026-52799

7.5HIGH

Key Information:

Vendor: Gogs
Status: Gogs
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-52799?

Gogs, an open-source self-hosted Git service, has a vulnerability that allows unauthenticated users to access raw attachment files without proper permission checks. This issue exists in versions prior to 0.14.3, where endpoints did not adequately verify user permissions for private repositories. As a result, attachments linked to Issues, Comments, or Releases could be downloaded by anyone, posing a serious risk to sensitive data. The vulnerability has been addressed in version 0.14.3, emphasizing the importance of updating to the latest version to safeguard your repositories.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-p9f...

x_refsource_CONFIRM

https://github.com/gogs/gogs/releases/tag/v0.14.3

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52799 Data

JSON