{“lastseen”:””,”description”:”Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints \u2014 PATCH \/api\/v1\/repos\/:owner\/:repo\/issue-tracker, PATCH \/api\/v1\/repos\/:owner\/:repo\/wiki, and POST \/api\/v1\/repos\/:owner\/:repo\/mirror-sync \u2014 are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode \\u003e= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite \\u003c AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker\/wiki URLs that redirect all repository visitors, or trigger mirror sync \u2014 none of which they are authorized to do. This vulnerability is fixed in 0.14.3.”,”published”:”2026-06-24T20:27:41.410Z”,”modified”:”2026-06-24T20:27:41.410Z”,”type”:”cve”,”title”:”Gogs: Write-level collaborators can mutate admin-only repository settings via API”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/gogs\/gogs\/security\/advisories\/GHSA-268j-37xf-pp52\\nhttps:\/\/github.com\/gogs\/gogs\/pull\/8327\\nhttps:\/\/github.com\/gogs\/gogs\/commit\/6283462119bd8894f1599d70339b5e823f99954a\\nhttps:\/\/github.com\/gogs\/gogs\/releases\/tag\/v0.14.3″,”id”:”CVE-2026-52808″,”bulletinFamily”:””,”cwe”:[“CWE-863″,”CWE-269″],”cvelist”:null,”sourceData”:”gogs gogs \\u003c 0.14.3″,”sourceHref”:””,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”gogs”,”version”:”\\u003c 0.14.3″,”vendor”:”gogs”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints \u2014 PATCH \/api\/v1\/repos\/:owner\/:repo\/issue-tracker, PATCH \/api\/v1\/repos\/:owner\/:repo\/wiki, and POST \/api\/v1\/repos\/:owner\/:repo\/mirror-sync \u2014 are gated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,50,12,15,13,7,11,5],"class_list":["post-65558","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n