CVE-2026-52800
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Gogs before version 0.14.3 allows organization team member management via GET requests without CSRF protection. An attacker can exploit this vulnerability by tricking a logged-in organization owner into visiting a crafted link, resulting in adding an attacker-controlled user to the Owners team and gaining organization owner-equivalent privileges.
Risk Assessment
The risk involves potential takeover of the organization by an attacker, leading to unauthorized access to repositories, source code modification, and data theft.
Recommendation
Immediately update Gogs to version 0.14.3 or later, which includes a fix for the missing CSRF protection in organization team member management.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the attacker gains organization owner–equivalent privileges. This vulnerability is fixed in 0.14.3.

