Moderate severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026
Gogs is Vulnerable to Denial of Service
CVE-2026-22592
Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.4 | 0.13.4 |
Affected products
1Patches
1961a79e8f9f2api: verify owner access to delete repos (#8101)
1 file changed · +12 −2
internal/route/api/v1/api.go+12 −2 modified@@ -148,7 +148,7 @@ func reqRepoWriter() macaron.Handler { } } -// reqRepoWriter makes sure the context user has at least admin access to the repository. +// reqRepoAdmin makes sure the context user has at least admin access to the repository. func reqRepoAdmin() macaron.Handler { return func(c *context.Context) { if !c.Repo.IsAdmin() { @@ -158,6 +158,16 @@ func reqRepoAdmin() macaron.Handler { } } +// reqRepoOwner makes sure the context user has owner access to the repository. +func reqRepoOwner() macaron.Handler { + return func(c *context.Context) { + if !c.Repo.IsOwner() { + c.Status(http.StatusForbidden) + return + } + } +} + func mustEnableIssues(c *context.APIContext) { if !c.Repo.Repository.EnableIssues || c.Repo.Repository.EnableExternalTracker { c.NotFound() @@ -250,7 +260,7 @@ func RegisterRoutes(m *macaron.Macaron) { m.Group("/repos", func() { m.Post("/migrate", bind(form.MigrateRepo{}), repo.Migrate) - m.Delete("/:username/:reponame", repoAssignment(), repo.Delete) + m.Delete("/:username/:reponame", repoAssignment(), reqRepoOwner(), repo.Delete) m.Group("/:username/:reponame", func() { m.Group("/hooks", func() {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cr88-6mqm-4g57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22592ghsaADVISORY
- github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.goghsaWEB
- github.com/gogs/gogs/blob/4cc83c498b6ae59356a04912d68a932165bad5e6/internal/database/mirror.goghsaWEB
- github.com/gogs/gogs/commit/961a79e8f9f2b3190ea804bcf635e4b43b123272ghsaWEB
- github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.