Gogs user can update repository content with read-only permission
基本資訊
- GHSA ID: GHSA-5qhx-gwfj-6jqr
- CVE ID: CVE-2026-23632
- 嚴重性: MEDIUM
- 發布時間: 2026-02-06T18:10:05Z
- 來源: GitHub Advisory
漏洞描述
Vulnerability Description
The endpoint
PUT /repos/:owner/:repo/contents/*
does not require write permissions and allows access with read permission only via repoAssignment().
After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in:
- Commit creation
- Execution of
git push
As a result, a token with read-only permission can be used to modify repository contents.
Attack Prerequisites
- Possession of a valid access token
- Read permission on the target repository (public repository or collaborator with read access)
Attack Scenario
- The attacker accesses the target repository with a read-only token
- The attacker sends a
PUT /contentsrequest to update an arbitrary file - The server creates a commit and performs a git push on behalf of the attacker
Potential Impact
- Source code tampering
- Injection of backdoors
- Compromise of release artifacts and distributed packages
影響範圍
- go:gogs.io/gogs (<= 0.13.3) → 0.13.4
CVSS 評分
- CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CWE 分類
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
EPSS 評分
- EPSS: N/A
萃取備註
- 資料來源: GitHub Security Advisories Database
- 信心水準: 高(官方漏洞資料庫)
- 處理時間: 2026-02-08T07:48:02.894789