CVE-2026-52809 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 6.8 MEDIUM

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.

Metadata

CVE ID: CVE-2026-52809
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:02 UTC
Published: 2026-06-24 20:29 UTC
Last updated: 2026-06-24 20:29 UTC
Primary CWE: CWE-324
CWE-324: Use of a Key Past its Expiration Date
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-324	cna	CWE-324: Use of a Key Past its Expiration Date
CWE-613	cna	CWE-613: Insufficient Session Expiration

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (2)

https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g
https://github.com/gogs/gogs/releases/tag/v0.14.3 https://github.com/gogs/gogs/releases/tag/v0.14.3