CVE-2026-25229

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2	Patch
https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-19 07:17

Updated : 2026-02-19 19:45

NVD link : CVE-2026-25229

Mitre link : CVE-2026-25229

CVE.ORG link : CVE-2026-25229

JSON object : View

Products Affected

gogs

gogs

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-25229", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-19T07:17:45.363", "references": [{"url": "https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1."}, {"lang": "es", "value": "Gogs es un servicio Git de c\u00f3digo abierto autoalojado. Las versiones 0.13.4 e inferiores tienen una vulnerabilidad de control de acceso roto que permite a usuarios autenticados con acceso de escritura a cualquier repositorio modificar etiquetas pertenecientes a otros repositorios. La funci\u00f3n UpdateLabel en la interfaz de usuario web (Web UI) (internal/route/repo/issue.go) no verifica que la etiqueta que se est\u00e1 modificando pertenezca al repositorio especificado en la ruta URL, lo que permite ataques de manipulaci\u00f3n de etiquetas entre repositorios. La vulnerabilidad existe en el endpoint de actualizaci\u00f3n de etiquetas de la interfaz de usuario web (Web UI) POST /:username/:reponame/labels/edit. La funci\u00f3n gestora UpdateLabel utiliza una funci\u00f3n de consulta de base de datos incorrecta que omite la validaci\u00f3n de propiedad del repositorio. Este problema ha sido corregido en la versi\u00f3n 0.14.1."}], "lastModified": "2026-02-19T19:45:35.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44DD72D9-ED94-407D-8C71-6C2B039C65BB", "versionEndExcluding": "0.14.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}