Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Gogs |
|
No data.
No data.
References
History
Thu, 25 Jun 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gogs
Gogs gogs |
|
| Vendors & Products |
Gogs
Gogs gogs |
Wed, 24 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3. | |
| Title | Gogs: Unauthenticated Organization Teams Information Disclosure via API | |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-24T20:01:03.050Z
Updated: 2026-06-24T20:01:03.050Z
Reserved: 2026-06-08T18:11:06.660Z
Link: CVE-2026-52815
Vulnrichment
No data.
NVD
No data.
Redhat
No data.