CVE-2026-25232

HIGH

Gogs <=0.13.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25232. PoCs published by adminlove520, H1sok444.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-25232, an authorization bypass vulnerability in Gogs that allows users with Write permissions to delete protected branches. The writeup includes root cause analysis, proof-of-concept steps, and remediation guidance.

Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Exploits (2)

github WRITEUP 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-25232

This repository provides a detailed technical analysis of CVE-2026-25232, an authorization bypass vulnerability in Gogs that allows users with Write permissions to delete protected branches. The writeup includes root cause analysis, proof-of-concept steps, and remediation guidance.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Gogs (Go Git Service) <= 0.13.4
Auth required
Prerequisites: Gogs account with Write permissions · Protected branches configured on the target repository · Network access to the Gogs web interface
devstral-2 · analyzed May 11, 2026 Full analysis →
nomisec WRITEUP
by H1sok444 · poc
https://github.com/H1sok444/CVE-2026-25232-PoC

This repository provides a detailed technical analysis of CVE-2026-25232, an authorization bypass vulnerability in Gogs that allows Write-level collaborators to delete protected branches via direct POST requests to the DeleteBranchPost endpoint. The writeup includes root cause analysis, proof-of-concept steps, and remediation guidance.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Gogs (Go Git Service) <= 0.13.4
Auth required
Prerequisites: Gogs account with Write permissions · Protected branches configured · Network access to Gogs web interface
devstral-2 · analyzed Apr 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0002
EPSS Percentile 4.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (2)
gogs/gogs < 0.14.1
gogs.io/gogs 0 - 0.14.1Go
Published Feb 19, 2026
Tracked Since Feb 19, 2026