CVE-2026-52808 is a high-severity improper privilege management vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
Summary Three API endpoints, PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync, are gated by reqRepoWriter() rather than reqRepoAdmin(). The equivalent operations in the web UI sit behind reqRepoAdmin, which requires AccessMode >= AccessModeAdmin. A write-level collaborator (who has AccessMode == AccessModeWrite < AccessModeAdmin) can therefore call these API endpoints directly to disable the native issue tracker or wiki, inject attacker-controlled external tracker/wiki URLs that redirect all repository visitors, or trigger mirror sync, none of which they are authorized to do. Severity High (CVSS 3.1: 7.1) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Attack Vector: Network, the API endpoints are reachable over HTTP/S. Attack Complexity: Low, a single API call is sufficient; no chaining or race condition required. Privileges Required: Low, only write-level collaborator access to the targeted repository is needed. The attacker does not need repo-admin or site-admin privileges. User Interaction: None, the attacker acts unilaterally. Scope: Unchanged, the impact is contained to the targeted repository's settings and its visitors. Confidentiality Impact: None, the attacker does not read confidential data directly. Integrity Impact: High, the attacker permanently mutates repository configuration, including injecting an external URL that redirects all visitors who click the Issues or Wiki tabs to an attacker-controlled site. Availability Impact: Low, disabling the native issue tracker or wiki reduces the availability of those features for all repository participants. Affected component internal/route/api/v1/api.go, route registration (lines 365–367) internal/route/api/v1/reporepo.go, issueTracker() (line 400), wiki() (line 437), mirrorSync() (line 463) CWE CWE-863: Incorrect Authorization CWE-269: Improper Privilege Management Description Three admin-equivalent API endpoints are protected by write-level middleware api.go:365-367 registers the three settings endpoints with reqRepoWriter(): reqRepoWriter() (defined at api.go:131-138) passes any user whose repository AccessMode >= AccessModeWrite: The handlers themselves perform no additional privilege check before mutating state: The wiki() handler (lines 437–461) follows the same pattern, writing repo.ExternalWikiURL directly and calling UpdateRepository with no admin gate. The web UI imposes a stricter admin requirement for the same operations cmd/gogs/web.go:472 wraps the entire /settings subtree with reqRepoAdmin: context.RequireRepoAdmin() (defined at context/repo.go:434-441) requires AccessMode >= AccessModeAdmin: In the access mode hierarchy, AccessModeWrite < AccessModeAdmin. A write-level collaborator satisfies reqRepoWriter() but does not satisfy RequireRepoAdmin(). The API path provides the write-level collaborator with capabilities that the UI correctly withholds. Full execution chain Attacker precondition: Attacker is added as a repository collaborator with write access (AccessMode == AccessModeWrite). API call: PATCH /api/v1/repos/OWNER/REPO/issue-tracker with Authorization: token WRITERTOKEN and body {"enableexternaltracker":true,"externaltrackerurl":"https://attacker.example/phish"}. Middleware: reqRepoWriter() checks c.Repo.IsWriter() → AccessMode >= AccessModeWrite → passes. Handler: issueTracker() sets repo.EnableExternalTracker = true and repo.ExternalTrackerURL = "https://attacker.example/phish", then calls database.UpdateRepository(repo, false). No admin check occurs. Impact: All visitors to the repository who click the "Issues" tab are redirected to the attacker's server. The native issue tracker is bypassed permanently until a repo admin reverses the change. Proof of Concept Impact A write-level collaborator can permanently replace the native issue tracker with an external URL under attacker control, redirecting all repository visitors who follow the Issues link to a phishing or malware-serving page. The same redirect attack applies to the Wiki tab via the external wiki URL setting. Both redirects remain active until a repo admin or owner manually reverses the setting; the attacker has no way to be removed from having already made the change. Mirror sync can be triggered repeatedly, potentially causing unnecessary load on the upstream mirror source or consuming network resources. All three operations are silent, no notification is sent to repo admins when these settings change via the API. Recommended remediation Option 1: Change middleware to reqRepoAdmin() on all three endpoints (preferred) Replace reqRepoWriter() with reqRepoAdmin() at the route registration level. This is a one-line change per endpoint and aligns the API authorization with the web UI's established policy. Option 2: Add an explicit admin check inside the handlers Add c.Repo.IsAdmin() checks at the top of issueTracker(), wiki(), and mirrorSync(). This is less preferred because it duplicates middleware logic in handler code, but it provides defense-in-depth if the route middleware is ever accidentally changed. Credit This vulnerability was discovered and reported by bugbunny.ai.
The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.
CVE-2026-52808 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.14.3). Upgrading removes the vulnerable code path.
go
gogs.io/gogs (< 0.14.3)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52808 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52808 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52808 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52808 is a high-severity improper privilege management vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
CVE-2026-52808 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
gogs.io/gogs (go) versions < 0.14.3 is affected.
Yes. CVE-2026-52808 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52808 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.