Gogs has a Protected Branch Deletion Bypass in Web Interface
Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.14.1 | 0.14.1 |
Affected products
1Patches
17b7e38c88007security: prevent deletion of protected and default branches via web UI (#8124)
2 files changed · +17 −0
conf/locale/locale_en-US.ini+2 −0 modified@@ -494,6 +494,8 @@ branches.stale_branches = Stale Branches branches.all = All Branches branches.updated_by = Updated %[1]s by %[2]s branches.change_default_branch = Change Default Branch +branches.default_deletion_not_allowed = Cannot delete the default branch. +branches.protected_deletion_not_allowed = Cannot delete a protected branch. editor.new_file = New file editor.upload_file = Upload file
internal/route/repo/branch.go+15 −0 modified@@ -118,6 +118,21 @@ func DeleteBranchPost(c *context.Context) { if !c.Repo.GitRepo.HasBranch(branchName) { return } + if branchName == c.Repo.Repository.DefaultBranch { + c.Flash.Error(c.Tr("repo.branches.default_deletion_not_allowed")) + return + } + + protectBranch, err := database.GetProtectBranchOfRepoByName(c.Repo.Repository.ID, branchName) + if err != nil && !database.IsErrBranchNotExist(err) { + log.Error("Failed to get protected branch %q: %v", branchName, err) + return + } + if protectBranch != nil && protectBranch.Protected { + c.Flash.Error(c.Tr("repo.branches.protected_deletion_not_allowed")) + return + } + if len(commitID) > 0 { branchCommitID, err := c.Repo.GitRepo.BranchCommitID(branchName) if err != nil {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2c6v-8r3v-gh6pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25232ghsaADVISORY
- github.com/gogs/gogs/commit/7b7e38c88007a7c482dbf31efff896185fd9b79cghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8124ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.1ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.