CVE-2026-52795

Source
https://cve.org/CVERecord?id=CVE-2026-52795
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52795.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52795
Aliases
  • GHSA-v8w7-f6gc-cqc2
Published
2026-06-24T20:06:15.058Z
Modified
2026-07-15T01:48:57.070978153Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Details

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52795.json"
}
References

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type
GIT
Repo
https://github.com/gogs/gogs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.14.3"
        }
    ]
}

Affected versions

Other
latest-commit-build
v0.*
v0.10
v0.10.18
v0.10.8
v0.10rc
v0.11
v0.11.19
v0.11.29
v0.11.33
v0.11.34
v0.11.4
v0.11.43
v0.11.53
v0.11.66
v0.11.79
v0.11.86
v0.11.91
v0.11rc
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.11
v0.5.13
v0.5.2
v0.5.5
v0.5.8
v0.5.9
v0.6.1
v0.6.15
v0.6.3
v0.6.9
v0.7.0
v0.7.19
v0.7.22
v0.7.33
v0.7.6
v0.8.0
v0.8.10
v0.8.25
v0.8.43
v0.9.0
v0.9.113
v0.9.128
v0.9.13
v0.9.141
v0.9.46
v0.9.48
v0.9.60
v0.9.71
v0.9.97

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52795.json"