CVE-2026-25120
📋 TL;DR
This vulnerability allows repository administrators in Gogs to delete comments from any repository by manipulating comment IDs, bypassing authorization controls. It affects all Gogs instances running version 0.13.4 or below where users have repository administrator privileges.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Malicious or compromised repository administrators could delete critical comments across all repositories, potentially destroying audit trails, development discussions, or code review feedback.
Likely Case
Repository administrators could accidentally or intentionally delete comments from repositories they shouldn't have access to, disrupting collaboration and potentially removing important context from code reviews.
If Mitigated
With proper access controls and monitoring, impact would be limited to authorized deletions within intended repositories only.
🎯 Exploit Status
Exploitation requires repository administrator access and knowledge of comment IDs from other repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.0
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Download Gogs version 0.14.0 or later from the official repository. 3. Stop the Gogs service. 4. Replace the existing Gogs binary with the new version. 5. Restart the Gogs service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict API Access
allLimit access to the DeleteComment API endpoint using network controls or web application firewalls.
Enhanced Monitoring
allImplement logging and alerting for comment deletion events across repository boundaries.
🧯 If You Can't Patch
- Implement strict access controls and review repository administrator assignments
- Enable comprehensive audit logging for all comment deletion operations
🔍 How to Verify
Check if Vulnerable:
Check if Gogs version is 0.13.4 or below by examining the version in the web interface or configuration files.Check Version:
Check the Gogs web interface footer or examine the gogs --version output if running from command line.Verify Fix Applied:
After upgrading, verify the version is 0.14.0 or higher and test that repository administrators cannot delete comments from repositories they don't own.📡 Detection & Monitoring
Log Indicators:
- Comment deletion events where repository ID doesn't match comment repository ownership
- Multiple comment deletions across different repositories by same user
Network Indicators:
- HTTP requests to DeleteComment API with mismatched repository and comment IDs
SIEM Query:
source="gogs" action="delete_comment" | where repository_id != comment_repository_id