CVE-2026-52815

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3

Description Gogs contains an information disclosure issue where the 'GET /api/v1/orgs/:orgname/teams' endpoint returns all teams for any organization without requiring authentication. This occurs because the route group lacks the reqToken() middleware, and the listTeams() handler does not perform authentication checks. Consequently, an unauthenticated caller can access team IDs, names, descriptions, and permission levels (read, write, admin, or owner). This allows for the enumeration of private or internal teams, mapping of organizational structures, and identification of high-value targets.

Recommendations Update to version 0.14.3 or later. As a temporary workaround, restrict access to the 'GET /api/v1/orgs/:orgname/teams' endpoint to minimize the risk of exploitation.