Back to overview

CVE-2026-52812

HIGH
7.1
CVSS 4.0
Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.

Metadata

CVE ID
CVE-2026-52812
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-08 18:11 UTC
Published
2026-06-24 20:32 UTC
Last updated
2026-06-24 20:32 UTC
Primary CWE
CWE-345
CWE-345: Insufficient Verification of Data Authenticity
Vendor / Product
gogs / gogs
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
gogs gogs < 0.14.3
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
References (4)
Back to overview