Authorization Bypass in Gogs Git Service Affecting Open Source Development
CVE-2026-52812

7.1HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52812?

The Gogs Git service has a vulnerability that allows unauthorized users with write access to one repository to link their repository to an object identifier (OID) owned by a private repository without proper validation of request body hashes. This issue originates from the way that Git LFS storage is handled, allowing for potential data exposure and unauthorized access to sensitive information. The issue is addressed in version 0.14.3, emphasizing the importance of keeping software up-to-date to mitigate such risks.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-6p9...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8333
x_refsource_MISC
https://github.com/gogs/gogs/commit/f35a767af74e05342bafc...
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.