CVE-2026-26196

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26196

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26196.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26196

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-05T18:49:19.540Z

Modified

2026-04-10T05:40:58.934716Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Gogs: Access tokens get exposed through URL params in API requests

Details

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-598"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26196.json"
}

References

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type: GIT
Repo: https://github.com/gogs/gogs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb

Affected versions

v0.*

v0.10

v0.10.18

v0.10.8

v0.10rc

v0.11

v0.11.19

v0.11.29

v0.11.33

v0.11.34

v0.11.4

v0.11.43

v0.11.53

v0.11.66

v0.11.79

v0.11.86

v0.11.91

v0.11rc

v0.14.0

v0.14.0-rc.1

v0.14.1

v0.14.1-rc.1

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.11

v0.5.13

v0.5.2

v0.5.5

v0.5.8

v0.5.9

v0.6.1

v0.6.15

v0.6.3

v0.6.9

v0.7.0

v0.7.19

v0.7.22

v0.7.33

v0.7.6

v0.8.0

v0.8.10

v0.8.25

v0.8.43

v0.9.0

v0.9.113

v0.9.128

v0.9.13

v0.9.141

v0.9.46

v0.9.48

v0.9.60

v0.9.71

v0.9.97

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26196.json"