CVE-2026-23632

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 18:15

Updated : 2026-02-17 21:53

NVD link : CVE-2026-23632

Mitre link : CVE-2026-23632

CVE.ORG link : CVE-2026-23632

JSON object : View

Products Affected

gogs

gogs

CWE

CWE-862

Missing Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2026-23632", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-06T18:15:56.553", "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint \"PUT /repos/:owner/:repo/contents/*\" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev."}, {"lang": "es", "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. En la versi\u00f3n 0.13.3 y anteriores, el endpoint 'PUT /repos/:owner/:repo/contents/*' no requiere permisos de escritura y permite el acceso solo con permiso de lectura a trav\u00e9s de repoAssignment(). Despu\u00e9s de pasar la verificaci\u00f3n de permisos, PutContents() invoca a UpdateRepoFile(), lo que resulta en la creaci\u00f3n de un commit y la ejecuci\u00f3n de git push. Como resultado, un token con permiso de solo lectura puede ser utilizado para modificar el contenido del repositorio. Este problema ha sido parcheado en las versiones 0.13.4 y 0.14.0+dev."}], "lastModified": "2026-02-17T21:53:45.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "674F0DE0-7669-4B02-B45E-DD60FB5D462F", "versionEndExcluding": "0.13.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}