CVE-2026-25229

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below

Description Gogs, a self-hosted Git service, has a broken access control issue. Authenticated users with write access to a repository can modify labels belonging to other repositories. This is due to a failure in the UpdateLabel function within the Web UI (internal/route/repo/issue.go) to verify that the label being modified belongs to the correct repository. The issue resides in the Web UI's label update endpoint, POST /:username/:reponame/labels/edit, where the UpdateLabel handler function uses a database query that bypasses repository ownership validation. Specifically, the function database.GetLabelByID(f.ID) is called with repoID=0, which ignores repository restrictions. The vulnerability allows for potential disruption of issue classification, concealment of security issues, and sabotage of workflows. The vulnerable code is located in internal/route/repo/issue.go:1040-1054. The API endpoint used for exploitation is /api/v1/labels/edit. The vulnerable parameter is id.

Recommendations Versions prior to 0.14.1 should be updated.