logo

Database

Insecure functionality In gogs.io/gogs

Description

Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation

Summary

A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.

Vulnerable Code

In internal/database/repo_collaboration.go, line 129:

func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
    // Discard invalid input
    if mode <= AccessModeNone || mode > AccessModeOwner {
        return nil
    }

AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.

The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:

func ChangeCollaborationAccessMode(c *context.Context) {
    if err := c.Repo.Repository.ChangeCollaborationAccessMode(
        c.QueryInt64("uid"),
        database.AccessMode(c.QueryInt("mode"))); err != nil {

This allows an admin collaborator to POST mode=4 and escalate to owner.

Impact

A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to:

    Delete the repository

    Transfer repository ownership to another user

    Erase wiki data

    Perform all other owner-only operations

The access table is also updated (line 181), so the escalated permissions persist across sessions.

Contrast

The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.

Steps to Reproduce

    User A creates a private repository

    User A adds User B as a collaborator with Admin access (mode=3)

    User B logs in and navigates to the repository settings collaboration page

    User B sends a POST request: 

    POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4

    User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons

Suggested Fix

Change the validation in internal/database/repo_collaboration.go line 129 from:

if mode <= AccessModeNone || mode > AccessModeOwner {

to:

if mode <= AccessModeNone || mode >= AccessModeOwner {

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-528042. NVD-2026-528043. OSV-2026-528044. GHSA-4565-r4x7-hg8j5. GCVE-2026-52804

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j2. https://github.com/gogs/gogs/pull/82273. https://github.com/gogs/gogs/commit/1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b4. https://github.com/gogs/gogs/releases/tag/v0.14.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.