Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

INFO

Published Date :

2026-02-06T17:43:45.757Z

Last Modified :

2026-02-06T18:54:15.180Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23632 vulnerability.

Vendors Products
Gogs
  • Gogs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23632.

URL Resource
https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact