CVE-2026-25232

Name of the Vulnerable Software and Affected Versions Gogs versions 0.13.4 and below

Description Gogs, an open-source self-hosted Git service, contains an access control bypass issue. Repository collaborators with Write permissions can delete protected branches, including the default branch, by sending a direct POST request. This bypasses the branch protection mechanism, enabling privilege escalation from Write to Admin level. The vulnerability exists in the DeleteBranchPost function within the internal/route/repo/branch.go file, specifically lines 110-155. The web interface deletion operation does not trigger Git Hooks, which correctly prevent protected branch deletion via SSH push. Attackers must have write permissions to the target repository and access to the Gogs web interface to exploit this issue. The vulnerable code lacks checks for protected and default branches, while the UI layer and Git Hooks correctly implement these checks. The vulnerable API endpoint is '/delete/*' and the vulnerable parameter is the branch name.

Recommendations Versions prior to 0.14.1 are affected. Update to version 0.14.1 or later to resolve this vulnerability.