CVE-2026-25232HIGH 8.8EPSS p34.7%

CVE-2026-25232CVE-2026-25232

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.7% · 2026-06-19T12:03:05Z
Published2026-02-19
Last modified2026-02-19

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/gogs/gogs/commit/7b7e38c88007a7c482dbf31efff896185fd9b79c
  2. https://github.com/gogs/gogs/pull/8124
  3. https://github.com/gogs/gogs/releases/tag/v0.14.1
  4. https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-24135
CVE
CVE-2026-25242
CVE
CVE-2025-64111
CVE
CVE-2026-25921
CVE
CVE-2025-64175
CVE
CVE-2026-40189
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.