GHSA-5c3f-6486-3g7g: Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES
mediumvulnerability
security
Summary
Gogs (a Git service) has a bug where password-reset tokens use the account-activation lifetime instead of the configured reset-password lifetime. The token's expiration time is baked into the token itself when it's created, so changing the reset-password timeout setting has no effect, and attackers who intercept a reset token can use it far longer than administrators intended.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
June 23, 2026
Classification
Attack SophisticationModerate
Affected Packages
gogs.io/gogs@< 0.14.3 (fixed: 0.14.3)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-5c3f-6486-3g7g
First tracked: June 23, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%