CVE-2026-52804

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

High

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Physical

Affected products

gogs / gogs< 0.14.3 – < 0.14.3

References

VENDOR_ADVISORYhttps://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j
PATCHhttps://github.com/gogs/gogs/pull/8227
PATCHhttps://github.com/gogs/gogs/commit/1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b
PATCHhttps://github.com/gogs/gogs/releases/tag/v0.14.3