CVE-2026-25232

HighPublic PoC

Published: 19 February 2026

Published

19 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25232 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Gogs Gogs. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in the Gogs web interface to prevent write-permission users from bypassing branch protection via direct POST requests to DeleteBranchPost.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely remediation of flaws like this access control bypass by patching to Gogs version 0.14.1 or later.

AC-6 Least Privilege partial match

prevent

Limits privileges to the minimum necessary, reducing exploitation risk by restricting write access on repositories with protected branches.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authz bypass in public-facing Gogs web app allows write-privileged users to escalate to admin-equivalent branch deletion ops via crafted POST, directly enabling exploitation of the application for privilege escalation (T1068) and remote exploitation of an internet-facing service (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request,…

completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.

Deeper analysisAI

CVE-2026-25232 is an access control bypass vulnerability in Gogs, an open-source self-hosted Git service. It affects versions 0.13.4 and below, specifically in the DeleteBranchPost function of the web interface. The flaw allows users with Write permissions on a repository to delete protected branches, including the default branch, by sending a direct POST request, circumventing the branch protection mechanism. While Git Hooks prevent such deletions via SSH pushes, the web interface operations do not trigger these hooks, enabling the bypass. This issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with Write permissions on the target repository, where protected branches are configured, can exploit this vulnerability remotely over the network via the Gogs web interface. By crafting and sending a POST request to the DeleteBranchPost endpoint, they bypass protections and delete protected branches, effectively escalating privileges from Write to Admin-level capabilities. This allows low-privilege collaborators to perform destructive operations restricted to administrators, such as removing critical branches without authentication checks.

The vulnerability has been addressed in Gogs version 0.14.1, as detailed in the project's security advisory (GHSA-2c6v-8r3v-gh6p), release notes, associated pull request (#8124), and fixing commit (7b7e38c88007a7c482dbf31efff896185fd9b79c). Security practitioners should upgrade to 0.14.1 or later and review repository permissions to limit Write access where possible.

Details

CWE(s): CWE-863

Affected Products

gogs

≤ 0.14.1

CVEs Like This One

CVE-2026-26194Same product: Gogs Gogs

CVE-2025-64175Same product: Gogs Gogs

CVE-2025-64111Same product: Gogs Gogs

CVE-2025-8110Same product: Gogs Gogs

CVE-2026-26276Same product: Gogs Gogs

CVE-2026-25921Same product: Gogs Gogs

CVE-2026-25242Same product: Gogs Gogs

CVE-2026-26022Same product: Gogs Gogs

CVE-2026-24135Same product: Gogs Gogs

CVE-2025-30093Shared CWE-863

References

https://github.com/gogs/gogs/commit/7b7e38c88007a7c482dbf31efff896185fd9b79c
Patch · security-advisories@github.com
https://github.com/gogs/gogs/pull/8124
Issue Tracking · security-advisories@github.com
https://github.com/gogs/gogs/releases/tag/v0.14.1
Release Notes · security-advisories@github.com
https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p
Exploit, Vendor Advisory · security-advisories@github.com