GHSA-x9p5-w45c-7ffc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x9p5-w45c-7ffc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x9p5-w45c-7ffc/GHSA-x9p5-w45c-7ffc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x9p5-w45c-7ffc
- Aliases
- Published
- 2026-03-05T19:50:35Z
- Modified
- 2026-03-23T04:56:01.681456072Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Gogs: Access tokens get exposed through URL params in API requests
- Details
-
Summary
The Gogs API still accepts tokens in URL parameters such as
tokenandaccess_token, which can leak through logs, browser history, and referrers.Details
A static review shows that the API still checks tokens in the URL query before looking at headers:
- internal/context/auth.go reads
c.Query("token") - internal/context/auth.go falls back to
c.Query("access_token") - internal/context/auth.go only checks the
Authorizationheader when the query token is empty - internal/context/auth.go authenticates using that token and marks the request as token-authenticated
Token-authenticated requests are accepted by API routes through
c.IsTokenAuthchecks: - internal/route/api/v1/api.goImpact
If tokens are sent in URLs such as
/api/v1/user?token=..., they can leak in logs, browser or shell history, and referrer headers, and can be reused until revoked.Recommended Fix
- Authentication headers should be used exclusively for token transmission.
- Token parameters should be blocked at the proxy or WAF level.
- Query strings should be scrubbed from logs.
- A strict referrer policy should be set.
Remediation
A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.
- internal/context/auth.go reads
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2026-03-05T19:16:04Z", "github_reviewed_at": "2026-03-05T19:50:35Z", "cwe_ids": [ "CWE-598" ], "severity": "MODERATE" }- References
-
- https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc
- https://nvd.nist.gov/vuln/detail/CVE-2026-26196
- https://github.com/gogs/gogs/pull/8177
- https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd
- https://github.com/gogs/gogs
- https://github.com/gogs/gogs/releases/tag/v0.14.2
Affected packages
Go / gogs.io/gogs
Package
- Name
- gogs.io/gogs
- View open source insights on deps.dev
- Purl
- pkg:golang/gogs.io/gogs