CVE-2026-52800 in Gogs
Summary
by MITRE • 06/25/2026
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The Gogs Git service vulnerability represents a critical access control flaw that undermines organizational security boundaries through improper cross-site request forgery protection mechanisms. This weakness specifically affects the management of team memberships within organization structures, where the application fails to validate the authenticity of GET requests that modify user permissions. The vulnerability exists in versions prior to 0.14.3 and demonstrates a fundamental failure in implementing proper request validation patterns that should be enforced for all administrative operations. Organizations using affected versions face significant risk as this flaw allows attackers to escalate privileges through social engineering techniques without requiring any authentication credentials from the victim.
The technical exploitation of this vulnerability relies on the absence of CSRF tokens for GET requests that modify organizational team membership, a pattern that violates established security best practices and standards such as those outlined in CWE-352. When an authenticated organization owner visits a maliciously crafted link, the application processes the request without verifying that it originated from a legitimate administrative interface rather than an attacker-controlled webpage. This represents a classic CSRF attack vector where the victim's browser automatically includes session cookies and other authentication tokens with the request, effectively allowing the attacker to perform unauthorized actions on behalf of the victim. The specific impact involves the addition of attacker-controlled users to the Owners team, which grants them equivalent privileges to the legitimate organization owner.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete organizational compromise. Once an attacker gains membership in the Owners team, they can manipulate repository permissions, modify organization settings, delete critical infrastructure, and potentially access sensitive data that was previously restricted to authorized personnel only. This vulnerability particularly affects organizations that rely on Gogs for code management and collaborative development environments where the loss of administrative control could result in significant operational disruption and potential data breaches. The attack vector through social engineering makes this vulnerability especially dangerous as it requires minimal technical skill from the attacker while potentially causing maximum damage to the targeted organization's security posture.
Organizations should immediately upgrade to Gogs version 0.14.3 or later to remediate this vulnerability, which implements proper CSRF protection mechanisms for all administrative operations. The fix addresses the root cause by ensuring that all requests modifying team memberships require proper validation tokens regardless of HTTP method used. Security teams should also implement additional monitoring for unusual team membership changes and consider deploying web application firewalls that can detect and block suspicious request patterns. This vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts and privilege escalation through manipulation of administrative permissions, emphasizing the importance of implementing defense-in-depth strategies to protect against such attacks. Regular security assessments should be conducted to ensure proper implementation of CSRF protection mechanisms across all application interfaces that handle sensitive administrative operations.