CVE-2026-23632 in Gogs
Summary
by MITRE • 02/06/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2026-23632 affects Gogs, an open source self-hosted Git service that provides repository management capabilities for organizations seeking to host their own Git infrastructure. This security flaw exists in versions 0.13.3 and earlier, representing a critical permission escalation issue that undermines the fundamental security model of repository access controls. The vulnerability stems from improper authorization checks within the repository content modification endpoint, specifically the PUT /repos/:owner/:repo/contents/* endpoint that handles file updates and modifications.
The technical flaw manifests through a flawed permission validation mechanism that fails to properly enforce write access requirements for repository content modifications. The vulnerability exploits the repoAssignment() function which incorrectly allows read-only authenticated users to proceed with content modification operations despite lacking the necessary write permissions. This logical error occurs because the system permits access to the PutContents() function without adequate verification of user privileges, subsequently triggering UpdateRepoFile() which executes actual commit creation and git push operations. The underlying issue represents a classic authorization bypass where the system's permission model is circumvented through improper validation of user roles and access levels.
The operational impact of this vulnerability is significant as it enables attackers with read-only tokens to perform unauthorized modifications to repository contents, effectively undermining the repository's integrity and security posture. An attacker could leverage this flaw to inject malicious code, modify configuration files, or introduce backdoors into the codebase without requiring elevated privileges. The vulnerability particularly affects organizations relying on Gogs for source code management where read-only access is typically granted to developers or automated systems, creating a potential attack vector for privilege escalation and code tampering. This issue has been addressed in subsequent releases including version 0.13.4 and the 0.14.0+dev development versions through proper implementation of access control checks and enforcement of write permissions for content modification operations.
Security professionals should note this vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and maps to ATT&CK technique T1078.004 related to valid accounts and privilege escalation. Organizations using affected Gogs versions should immediately upgrade to patched releases to prevent potential exploitation, as the vulnerability essentially allows read-only access to be leveraged for write operations. The fix implemented in newer versions enforces proper authorization checks before allowing content modification operations, ensuring that only users with appropriate write permissions can execute git push commands and modify repository contents. This remediation addresses the core issue by strengthening the permission validation mechanism and ensuring that repository access controls function as intended within the software's security architecture.