Gogs: Authorization Bypass in Watch API allows any user to...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

Basic Information

ID CVE-2026-52795

Source GitHub_M

Published Jun 24, 2026 at 20:06

Affected Product

Vendor gogs

Product gogs

Version <= 0.14.3

Affected Versions gogs gogs <= 0.14.3

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.",
    "published": "2026-06-24T20:06:15.058Z",
    "modified": "2026-06-24T20:06:15.058Z",
    "type": "cve",
    "title": "Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity",
    "source": "GitHub_M",
    "references": "https://github.com/gogs/gogs/security/advisories/GHSA-v8w7-f6gc-cqc2\nhttps://github.com/gogs/gogs/commit/d61caa3676fde060d0c03ccf815851dddc7c67e0",
    "id": "CVE-2026-52795",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "gogs gogs <= 0.14.3",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gogs",
    "version": "<= 0.14.3",
    "vendor": "gogs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity_CVE-2026-52795