CVE-2026-26196

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description The Gogs API accepts tokens in URL parameters, specifically token and access token. This can lead to information disclosure as these tokens may be logged, stored in browser history, or sent in referrer headers. The API checks for tokens in URL query parameters before checking the Authorization header. Token-authenticated requests are accepted by API routes. This allows for potential reuse of tokens until they are revoked.

Recommendations Versions prior to 0.14.2 should be updated to version 0.14.2. Authentication headers should be used exclusively for token transmission. Token parameters should be blocked at the proxy or WAF level. Query strings should be scrubbed from logs. A strict referrer policy should be set.