GHSA-4565-r4x7-hg8j

Suggest an improvement
Source
https://github.com/advisories/GHSA-4565-r4x7-hg8j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4565-r4x7-hg8j/GHSA-4565-r4x7-hg8j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4565-r4x7-hg8j
Aliases
  • CVE-2026-52804
Published
2026-06-23T16:52:30Z
Modified
2026-06-23T17:00:12.262099187Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation
Details

Summary

A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.

Vulnerable Code

In internal/database/repo_collaboration.go, line 129:

func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
    // Discard invalid input
    if mode <= AccessModeNone || mode > AccessModeOwner {
        return nil
    }

AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.

The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:

func ChangeCollaborationAccessMode(c *context.Context) {
    if err := c.Repo.Repository.ChangeCollaborationAccessMode(
        c.QueryInt64("uid"),
        database.AccessMode(c.QueryInt("mode"))); err != nil {

This allows an admin collaborator to POST mode=4 and escalate to owner.

Impact

A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to: - Delete the repository - Transfer repository ownership to another user - Erase wiki data - Perform all other owner-only operations

The access table is also updated (line 181), so the escalated permissions persist across sessions.

Contrast

The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.

Steps to Reproduce

  1. User A creates a private repository
  2. User A adds User B as a collaborator with Admin access (mode=3)
  3. User B logs in and navigates to the repository settings collaboration page
  4. User B sends a POST request: 
    POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4
  5. User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons

Suggested Fix

Change the validation in internal/database/repo_collaboration.go line 129 from:

if mode <= AccessModeNone || mode > AccessModeOwner {

to:

if mode <= AccessModeNone || mode >= AccessModeOwner {
Database specific 
{
    "github_reviewed_at": "2026-06-23T16:52:30Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-193"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-4565-r4x7-hg8j/GHSA-4565-r4x7-hg8j.json"