Gogs user can update repository content with read-only permission

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Basic Information

ID CVE-2026-23632

Source GitHub_M

Published Feb 6, 2026 at 17:43

Modified Feb 6, 2026 at 18:54

Affected Product

Vendor gogs

Product gogs

Version < 0.14.0+dev

Affected Versions gogs gogs < 0.14.0+dev
gogs gogs < 0.13.4

CWE Classification

CWE-862 CWE-863

References

github.com /gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr

{
    "lastseen": "",
    "description": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint \"PUT /repos/:owner/:repo/contents/*\" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.",
    "published": "2026-02-06T17:43:45.757Z",
    "modified": "2026-02-06T18:54:15.180Z",
    "type": "cve",
    "title": "Gogs user can update repository content with read-only permission",
    "source": "GitHub_M",
    "references": "https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr",
    "id": "CVE-2026-23632",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "gogs gogs < 0.14.0+dev\ngogs gogs < 0.13.4",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gogs",
    "version": "< 0.14.0+dev",
    "vendor": "gogs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Gogs user can update repository content with read-only permission_CVE-2026-23632