CVE-2026-52809
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In Gogs before version 0.14.3, password-reset tokens are generated using the account-activation lifetime (conf.Auth.ActivateCodeLives) instead of the reset-password lifetime (conf.Auth.ResetPasswordCodeLives). The token lifetime is embedded in the token at generation time and re-extracted at verification, making RESET_PASSWORD_CODE_LIVES irrelevant. Even if an administrator configures a shorter reset window (e.g., 10 minutes), tokens remain valid for the full activation lifetime, while the reset email falsely advertises the shorter expiry.
Risk Assessment
The risk is that an attacker can exploit a password-reset token for longer than intended, enabling unauthorized account takeover, especially when an administrator set a short reset window for compliance or security reasons.
Recommendation
Immediately upgrade Gogs to version 0.14.3 or later, which fixes this vulnerability. After upgrading, invalidate all existing password-reset tokens.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.

