CVE Catalog

CVE-2026-52815

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.55%

72th percentile — higher than 72% of all known CVEs

Summary

Gogs, an open source Git service, prior to version 0.14.3 has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication.

Risk Assessment

Organizations may be exposed to the disclosure of sensitive team information such as IDs, names, descriptions, and permission levels, potentially leading to unauthorized access or attacks.

Recommendation

It is recommended to update Gogs to version 0.14.3 or later to mitigate this vulnerability and to implement appropriate authentication mechanisms for API endpoints.

Original NVD description (English source)

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS