CVE-2026-23632
📋 TL;DR
This vulnerability allows attackers with read-only access tokens to modify repository contents in Gogs self-hosted Git service. It affects all Gogs instances running version 0.13.3 or earlier. Attackers can push unauthorized commits to repositories they should only be able to read.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could inject malicious code into repositories, compromise software supply chains, or deface repositories with sensitive content.
Likely Case
Unauthorized modifications to repository files, potentially introducing bugs, backdoors, or inappropriate content.
If Mitigated
Limited to authorized users with proper access controls; read-only tokens function as intended.
🎯 Exploit Status
Exploitation requires a valid read-only token; the vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.4 or 0.14.0+dev
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Download and install Gogs version 0.13.4 or later from the official repository. 3. Restart the Gogs service. 4. Verify the update by checking the version in the web interface or via command line.
🔧 Temporary Workarounds
Restrict API endpoint access
allBlock or restrict access to the vulnerable PUT /repos/:owner/:repo/contents/* endpoint using network controls or web application firewalls.
Revoke and regenerate tokens
allRevoke all existing read-only tokens and regenerate them after patching to ensure no compromised tokens remain active.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Gogs instances from untrusted networks.
- Audit and monitor all repository modifications for unauthorized changes, especially from read-only token holders.
🔍 How to Verify
Check if Vulnerable:
Check the Gogs version via the web interface (Admin Panel > Configuration) or by examining the binary/installation directory.Check Version:
gogs --version or check the version file in the installation directory.Verify Fix Applied:
After updating, confirm the version is 0.13.4 or later and test that read-only tokens can no longer modify repository contents via the PUT endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized commit attempts from read-only tokens
- Failed or successful PUT requests to /repos/*/contents/* with read-only authentication
Network Indicators:
- Unusual PUT requests to repository content endpoints from known read-only token sources
SIEM Query:
source="gogs" AND (method="PUT" AND uri="/repos/*/contents/*") AND user_permission="read-only"