PT-2026-6852 — Gogs.Io/Gogs

PT-2026-6852 · Go · Gogs.Io/Gogs

Published

2026-02-06

Updated

2026-02-06

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Vulnerability Description

The endpoint PUT /repos/:owner/:repo/contents/* does not require write permissions and allows access with read permission only via repoAssignment().

After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in:

Commit creation
Execution of git push

As a result, a token with read-only permission can be used to modify repository contents.

Attack Prerequisites

Possession of a valid access token
Read permission on the target repository (public repository or collaborator with read access)

Attack Scenario

The attacker accesses the target repository with a read-only token
The attacker sends a PUT /contents request to update an arbitrary file
The server creates a commit and performs a git push on behalf of the attacker

Potential Impact

Source code tampering
Injection of backdoors
Compromise of release artifacts and distributed packages

Fix

Incorrect Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-862

Related Identifiers

GHSA-5QHX-GWFJ-6JQR

Affected Products

Gogs.Io/Gogs