CVE-2026-52795 | Gogs is an open source self-hosted Git service. In 0.14.3 an… | CVSS 4.3 MEDIUM

Description

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

Metadata

CVE ID: CVE-2026-52795
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:02 UTC
Published: 2026-06-24 20:06 UTC
Last updated: 2026-06-24 20:06 UTC
Primary CWE: CWE-863
CWE-863: Incorrect Authorization
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	<= 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (2)

https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2 https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2
https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0 https://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0