logo

Database

Improper authorization control for web services In gogs.io/gogs

Description

Gogs user can update repository content with read-only permission

Vulnerability Description

The endpoint PUT /repos/:owner/:repo/contents/* does not require write permissions and allows access with read permission only via repoAssignment().

After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in:

    Commit creation

    Execution of git push

As a result, a token with read-only permission can be used to modify repository contents.

Attack Prerequisites

    Possession of a valid access token

    Read permission on the target repository (public repository or collaborator with read access)

Attack Scenario

    The attacker accesses the target repository with a read-only token

    The attacker sends a PUT /contents request to update an arbitrary file

    The server creates a commit and performs a git push on behalf of the attacker

Potential Impact

    Source code tampering

    Injection of backdoors

    Compromise of release artifacts and distributed packages

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-236322. NVD-2026-236323. OSV-2026-236324. GHSA-5qhx-gwfj-6jqr5. GCVE-2026-23632

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr2. https://github.com/gogs/gogs/pull/8102/commits/b6afcdb2e8d291e2adaaf6a8b7f88d240606515d3. https://github.com/gogs/gogs/releases/tag/v0.13.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.