CVE-2026-52799 is a high-severity missing authorization vulnerability in gogs.io/gogs (go), affecting versions <= 0.14.2. It is fixed in 0.14.3.
Summary In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. Description /attachments/:uuid retrieves an attachment record solely by the UUID provided in the URL and returns the corresponding local file without performing any authorization checks against the attachment’s parent object (Issue/Comment/Release) or the repository it belongs to. As a result, even attachments under private repositories can be downloaded by an unauthenticated user (or a user without proper permissions) as long as the UUID is known. Relevant code (internal/cmd/web.go:306): The UUID lookup itself also performs no validation tied to repository visibility or user permissions. Authorization is not enforced at this layer. Relevant code (internal/database/attachment.go:124): Preconditions The attacker knows the target attachment’s UUID (i.e., the attachment URL). For unauthenticated exploitation: [auth] REQUIRESIGNINVIEW = false. Even when REQUIRESIGNINVIEW = true, exploitation may still be possible because the handler does not check repository-level permissions; a user who can log in but lacks access to the target repository may still retrieve the attachment. Steps to Reproduce Log in as an administrator and create a private repository, e.g. myadmin/idor-attach-1770724346-1a13bb. Add an attachment to an Issue in that repository and note the attachment UUID (example UUID used during testing: f06d90f8-5b62-4c10-ac8d-f11fdf870b57). Log out and access the following as an unauthenticated user: The repository page → 404 Not Found <img width="1702" height="758" alt="image" src="https://github.com/user-attachments/assets/8fdb1d92-cfc3-4ef8-977e-60ec13f792df" /> The Issue page under that repository → 404 Not Found <img width="1983" height="546" alt="image" src="https://github.com/user-attachments/assets/c44c5e69-8ca2-4ea6-a071-62302b7e896f" /> GET /attachments/<uuid> → the attachment file is successfully downloaded <img width="2007" height="378" alt="image" src="https://github.com/user-attachments/assets/23950ac6-6b3a-42f8-a06b-b9e0cf508d24" /> Minimum Required Privileges REQUIRESIGNINVIEW = false: none (works without authentication). REQUIRESIGNINVIEW = true: only the ability to log in (repository view permission is not required in practice). Impact Confidential information attached to private repositories or restricted Issues/Releases may be disclosed. Examples include credentials, cryptographic keys, personal data, internal documents, or unpublished source code fragments. While the severity depends on the attachment contents, attachments frequently contain sensitive data, making the potential impact high.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-52799 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.14.3). Upgrading removes the vulnerable code path.
go
gogs.io/gogs (<= 0.14.2)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52799 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52799 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52799 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52799 is a high-severity missing authorization vulnerability in gogs.io/gogs (go), affecting versions <= 0.14.2. It is fixed in 0.14.3. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-52799 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
gogs.io/gogs (go) versions <= 0.14.2 is affected.
Yes. CVE-2026-52799 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52799 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.