API Misconfiguration in Gogs Self-Hosted Git Service
CVE-2026-52808

7.1HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52808?

A misconfiguration in Gogs, an open-source self-hosted Git service, allows write-level collaborators to access restricted API endpoints. Specifically, prior to version 0.14.3, three API endpoints intended for admin use were instead accessible by users with lower access privileges. This flaw allows unauthorized actions such as disabling the issue tracker or wiki functionality, as well as injecting potentially harmful external URLs, posing a risk to repository integrity and user trust.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-268...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8327
x_refsource_MISC
https://github.com/gogs/gogs/commit/6283462119bd8894f1599...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.