CVE-2026-52800: Gogs CSRF Leading to Organization Owner Takeover
A missing CSRF check on Gogs organization team management endpoints lets an attacker hijack an org by tricking a logged-in owner into opening a crafted link.
The problem
In Gogs before 0.14.3, the route for team member actions accepts both GET and POST requests. The global CSRF middleware only validates tokens on POST, so any GET request to that route executes without a token check.
An attacker who already has a Gogs account can craft a URL targeting the Owners team add action. Any organization owner who visits that URL, even via an embedded image or redirect, triggers the state change and adds the attacker to the Owners team. The attacker immediately gains full organization privileges: access to all private repos, settings, and members.
Proof of concept
GET /org/org3/teams/owners/action/add?uid=1&uname=attacker HTTP/1.1
Host: gogs.example.com
Cookie: i_like_gogs=<victim_session>The route was defined as m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction), allowing GET. The auth middleware checks c.Req.Method == "POST" before calling csrf.Validate, so GET requests skip token validation entirely.
TeamsAction reads uid and uname from query parameters and calls Team.AddMember without any HTTP method guard. When the target team is Owners, AddMember sets OrgUser.IsOwner = true in the database, completing the privilege escalation in one unauthenticated-from-CSRF-perspective request.
The fix in PR #8321 (commit 070df61) restricts the route to POST only, so the CSRF check now applies to every team and member action.
The fix
Upgrade to Gogs 0.14.3. The patch changes the teams action route from accepting GET and POST to POST only, so every state-changing call now goes through CSRF validation. No configuration change is needed beyond the upgrade.