FKIE_CVE-2026-23632

Vulnerability from fkie_nvd - Published: 2026-02-06 18:15 - Updated: 2026-02-17 21:53
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
References
security-advisories@github.comhttps://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqrVendor Advisory
Impacted products
Vendor Product Version
gogs gogs *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "674F0DE0-7669-4B02-B45E-DD60FB5D462F",
              "versionEndExcluding": "0.13.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint \"PUT /repos/:owner/:repo/contents/*\" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev."
    },
    {
      "lang": "es",
      "value": "Gogs es un servicio Git autoalojado de c\u00f3digo abierto. En la versi\u00f3n 0.13.3 y anteriores, el endpoint \u0027PUT /repos/:owner/:repo/contents/*\u0027 no requiere permisos de escritura y permite el acceso solo con permiso de lectura a trav\u00e9s de repoAssignment(). Despu\u00e9s de pasar la verificaci\u00f3n de permisos, PutContents() invoca a UpdateRepoFile(), lo que resulta en la creaci\u00f3n de un commit y la ejecuci\u00f3n de git push. Como resultado, un token con permiso de solo lectura puede ser utilizado para modificar el contenido del repositorio. Este problema ha sido parcheado en las versiones 0.13.4 y 0.14.0+dev."
    }
  ],
  "id": "CVE-2026-23632",
  "lastModified": "2026-02-17T21:53:45.123",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T18:15:56.553",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.