CVE-2026-25229

MEDIUM

6.5

Beschreibung

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.

CVE Details

CVSS v3.1 Bewertung6.5

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienLOW

BenutzerinteraktionNONE

Veroffentlicht2/19/2026

Zuletzt geandert2/19/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

gogs:gogs

Schwachen (CWE)

CWE-284

Referenzen

https://github.com/gogs/gogs/commit/643a6d6353cb6a182a4e1f0720228727f30a3ad2(security-advisories@github.com)

https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.