EXECUTIVE SUMMARY:
A pair of vulnerabilities were identified in the Gogs source code management platform: an Insecure Direct Object Reference (IDOR) flaw in the comment deletion endpoint allows authenticated repository administrators to delete comments from any other repository without proper authorization checks; a broken access control issue in the Web UIs label update function permits authenticated users with write access to modify labels in other repositories due to missing repository ownership validation; an access control bypass in the web interface enables collaborators with write permissions to delete protected branches by directly sending crafted POST requests, effectively escalating privileges; and an unauthenticated file upload vulnerability exposes attachment endpoints to remote attackers when default settings allow anonymous submission, which could be abused for disk exhaustion or hosting malicious content.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A pair of vulnerabilities were identified in the Gogs source code management platform: an Insecure Direct Object Reference (IDOR) flaw in the comment deletion endpoint allows authenticated repository administrators to delete comments from any other repository without proper authorization checks; a broken access control issue in the Web UIs label update function permits authenticated users with write access to modify labels in other repositories due to missing repository ownership validation; an access control bypass in the web interface enables collaborators with write permissions to delete protected branches by directly sending crafted POST requests, effectively escalating privileges; and an unauthenticated file upload vulnerability exposes attachment endpoints to remote attackers when default settings allow anonymous submission, which could be abused for disk exhaustion or hosting malicious content.[emaillocker id="1283"]
CVE-2026-25120: It is an Insecure Direct Object Reference (IDOR) vulnerability in Gogs that allows authenticated users to delete issue comments across repositories by manipulating comment identifiers. The flaw occurs due to missing authorization checks that fail to validate repository ownership during comment deletion. The vulnerability has a CVSS score of 5.1.
CVE-2026-25229: It is a broken access control vulnerability in Gogs that allows authenticated users with write permissions to modify labels across other repositories. The issue arises from missing repository ownership validation in the label update functionality, enabling cross-repository manipulation. The vulnerability has a CVSS score of 5.3.
CVE-2026-25232: It is an access control bypass vulnerability in Gogs that allows authenticated users with write permissions to delete protected branches, including default branches. The issue occurs due to insufficient enforcement of branch protection checks when handling crafted requests. The vulnerability has a CVSS score of 7.1.
CVE-2026-25242: It is an unauthenticated file upload vulnerability in Gogs that allows attackers to upload arbitrary files without authentication. The flaw can be abused to host malicious content or cause denial of service through disk space exhaustion. The vulnerability has a CVSS score of 6.9.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jj5m-h57j-5gv7
https://github.com/advisories/GHSA-cv22-72px-f4gh
https://github.com/advisories/GHSA-2c6v-8r3v-gh6p
https://github.com/advisories/GHSA-fc3h-92p8-h36f