Gogs allows unauthenticated file uploads
Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.14.1 | 0.14.1 |
Affected products
1Patches
1628216d5889fsecurity: require authentication for attachment uploads (#8128)
1 file changed · +4 −1
internal/cmd/web.go+4 −1 modified@@ -329,9 +329,12 @@ func runWeb(c *cli.Context) error { return } }) + }, ignSignIn) + + m.Group("", func() { m.Post("/issues/attachments", repo.UploadIssueAttachment) m.Post("/releases/attachments", repo.UploadReleaseAttachment) - }, ignSignIn) + }, reqSignIn) m.Group("/:username", func() { m.Post("/action/:action", user.Action)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fc3h-92p8-h36fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25242ghsaADVISORY
- github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3ghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8128ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.1ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.