CVE-2026-25232
📋 TL;DR
This CVE describes an access control bypass vulnerability in Gogs self-hosted Git service where users with Write permissions can delete protected branches via the web interface, bypassing branch protection mechanisms. This effectively escalates their privileges to Admin level for branch deletion operations. All Gogs instances running vulnerable versions with protected branches configured are affected.
💻 Affected Systems
- Gogs
📦 What is this software?
Gogs by Gogs
⚠️ Risk & Real-World Impact
Worst Case
Malicious collaborators delete critical protected branches including default branches, causing data loss, disrupting development workflows, and potentially enabling further attacks through repository manipulation.
Likely Case
Accidental or intentional deletion of protected branches by users with Write permissions, leading to repository corruption, loss of important code history, and development disruption.
If Mitigated
Limited impact if strict access controls are enforced and users are properly vetted, though the vulnerability still presents an internal threat.
🎯 Exploit Status
Exploitation requires authenticated access with Write permissions and knowledge of the vulnerable endpoint. The attack involves sending a direct POST request to bypass branch protection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.1
Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p
Restart Required: Yes
Instructions:
1. Backup your Gogs data and configuration. 2. Download Gogs version 0.14.1 or later from the official releases. 3. Stop the Gogs service. 4. Replace the existing Gogs binary with the new version. 5. Restart the Gogs service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Write Permissions
allTemporarily remove Write permissions from users who don't absolutely need them, limiting the attack surface.
Disable Web Interface Branch Deletion
allConfigure Gogs to disable branch deletion through the web interface entirely, forcing all branch management through Git commands.
🧯 If You Can't Patch
- Implement strict access controls and review all users with Write permissions to repositories with protected branches.
- Monitor logs for branch deletion attempts and implement alerts for unauthorized deletion of protected branches.
🔍 How to Verify
Check if Vulnerable:
Check your Gogs version by accessing the admin panel or running './gogs --version' from the installation directory. If version is 0.13.4 or below, you are vulnerable.Check Version:
./gogs --versionVerify Fix Applied:
After updating to 0.14.1 or later, verify the version and test that users with Write permissions cannot delete protected branches through the web interface.📡 Detection & Monitoring
Log Indicators:
- POST requests to branch deletion endpoints from non-admin users
- Successful deletion of protected branches in audit logs
- Unauthorized branch deletion attempts
Network Indicators:
- HTTP POST requests to /api/v1/repos/[owner]/[repo]/branches/[branch] endpoint from users with only Write permissions
SIEM Query:
source="gogs" AND (http_method="POST" AND uri="/api/v1/repos/*/branches/*" AND user_role!="admin")