cvedb.io
CVE-2026-25232
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-02-19T07:17:45.520 · Last modified 2026-06-17T10:24:20.827

Summary

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attacker

Affected products

gogs — gogs

Does this affect you?

Add your gear to cvedb and we'll alert you only when gogs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.