Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Gogs |
|
No data.
No data.
References
History
Thu, 25 Jun 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gogs
Gogs gogs |
|
| Vendors & Products |
Gogs
Gogs gogs |
Wed, 24 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content. | |
| Title | Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-24T20:06:15.058Z
Updated: 2026-06-24T20:06:15.058Z
Reserved: 2026-06-08T18:02:19.731Z
Link: CVE-2026-52795
Vulnrichment
No data.
NVD
No data.
Redhat
No data.