CVE-2026-52808

Name of the Vulnerable Software and Affected Versions Gogs (affected versions not specified)

Description An authorization bypass exists where three API endpoints are protected by write-level middleware instead of administrator-level middleware. This allows a collaborator with write access to perform administrative actions that are correctly restricted in the web UI. An attacker can use these endpoints to disable the native issue tracker or wiki and inject attacker-controlled external URLs, redirecting all repository visitors to external sites. Additionally, they can trigger mirror synchronization, potentially leading to resource abuse.

The affected API endpoints are:

These endpoints incorrectly utilize the reqRepoWriter() function, which only verifies if a user has write access, rather than reqRepoAdmin(), which ensures the user has administrator privileges. The vulnerable functions involved are issueTracker(), wiki(), and mirrorSync().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the 'PATCH /api/v1/repos/:owner/:repo/issue-tracker', 'PATCH /api/v1/repos/:owner/:repo/wiki', and 'POST /api/v1/repos/:owner/:repo/mirror-sync' endpoints to only authorized administrators.