CVE-2026-52809

Source
https://cve.org/CVERecord?id=CVE-2026-52809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52809
Aliases
Published
2026-06-24T20:29:29.701Z
Modified
2026-07-08T08:05:24.307662249Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES
Details

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESETPASSWORDCODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-324",
        "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52809.json"
}
References

Affected packages

Git / github.com/gogs/gogs

Affected ranges

Type
GIT
Repo
https://github.com/gogs/gogs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14.3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.10
v0.10.18
v0.10.8
v0.10rc
v0.11
v0.11.19
v0.11.29
v0.11.33
v0.11.34
v0.11.4
v0.11.43
v0.11.53
v0.11.66
v0.11.79
v0.11.86
v0.11.91
v0.11rc
v0.14.0
v0.14.0-rc.1
v0.14.1
v0.14.1-rc.1
v0.14.2
v0.14.2-rc.1
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.11
v0.5.13
v0.5.2
v0.5.5
v0.5.8
v0.5.9
v0.6.1
v0.6.15
v0.6.3
v0.6.9
v0.7.0
v0.7.19
v0.7.22
v0.7.33
v0.7.6
v0.8.0
v0.8.10
v0.8.25
v0.8.43
v0.9.0
v0.9.113
v0.9.128
v0.9.13
v0.9.141
v0.9.46
v0.9.48
v0.9.60
v0.9.71
v0.9.97

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52809.json"