4 matches found
CVE-2026-52808 Gogs: Write-level collaborators can mutate admin-only repository settings via API
Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent...
CVE-2026-52808
Summary : Gogs exposes an authorization flaw where three admin-equivalent API endpoints (PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, POST /api/v1/repos/:owner/:repo/mirror-sync) are protected by write-level middleware (reqRepoWriter) instead of admin-lev...
GHSA-268J-37XF-PP52 Gogs's write-level collaborators can mutate admin-only repository settings via API
Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...
Gogs's write-level collaborators can mutate admin-only repository settings via API
Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...