CVE-2026-52799
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Gogs is an open source Git service that prior to version 0.14.3 allowed downloading attachments without verifying user permissions. Unauthenticated users could download attachments from private repositories.
Risk Assessment
Organizations may be exposed to data leaks as unauthorized users can access confidential attachments. This could lead to privacy breaches and data security issues.
Recommendation
It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability. Additionally, consider enabling the REQUIRE_SIGNIN_VIEW option in test environments.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.

