GHSA-268j-37xf-pp52: Gogs's write-level collaborators can mutate admin-only repository settings via API
highvulnerability
security
Summary
Gogs (a self-hosted Git service) has three API endpoints that incorrectly allow write-level collaborators to change admin-only repository settings. These endpoints use `reqRepoWriter()` middleware instead of `reqRepoAdmin()`, meaning users with basic write access can disable the issue tracker or wiki, inject malicious external URLs that redirect visitors, or trigger mirror sync operations. The web interface correctly requires admin access for these same operations, creating a security inconsistency.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
June 23, 2026
Classification
Attack SophisticationTrivial
Affected Packages
gogs.io/gogs@< 0.14.3 (fixed: 0.14.3)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-268j-37xf-pp52
First tracked: June 23, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%