CVE Catalog

CVE-2026-52800

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Gogs before version 0.14.3 allows organization team member management via GET requests without CSRF protection. An attacker can exploit this vulnerability by tricking a logged-in organization owner into visiting a crafted link, resulting in adding an attacker-controlled user to the Owners team and gaining organization owner-equivalent privileges.

Risk Assessment

The risk involves potential takeover of the organization by an attacker, leading to unauthorized access to repositories, source code modification, and data theft.

Recommendation

Immediately update Gogs to version 0.14.3 or later, which includes a fix for the missing CSRF protection in organization team member management.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS