CVE-2026-52815 is a medium-severity security vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
Summary Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. Affected Versions Gogs (all current versions) Vulnerability Details Root Cause: Missing reqToken() middleware on org teams route group internal/route/api/v1/api.go lines 380-385: The orgAssignment(true) middleware only loads the organization object, it performs no authentication. The listTeams() handler at orgteam.go:8 returns all teams unconditionally: Compare with other org endpoints that correctly require authentication: Attack Chain Attacker sends GET /api/v1/orgs/target-org/teams with no authentication orgAssignment(true) loads the organization but does not check auth ListTeams() queries all teams and returns them Response includes team IDs, names, descriptions, and permission levels (read/write/admin/owner) Proof of Concept Impact An unauthenticated attacker can: Enumerate all teams within any organization, including private/internal teams Discover team permission levels (read/write/admin/owner), aiding privilege escalation planning Map organizational structure and identify high-value targets (admin/owner teams) Harvest team IDs for use in other API calls that may have weaker authorization checks Suggested Remediation Add reqToken() middleware to the org teams route group, consistent with other authenticated org endpoints. Additionally, ListTeams() should verify the authenticated user is a member of the organization.
go
gogs.io/gogs (< 0.14.3)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52815 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52815 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52815 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52815 is a medium-severity security vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
gogs.io/gogs (go) versions < 0.14.3 is affected.
Yes. CVE-2026-52815 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52815 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.