Cyber Resilience

CVE-2026-25242

MediumPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25242 is a medium-severity Missing Authorization (CWE-862) vulnerability in Gogs Gogs. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25242 affects Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. The vulnerability stems from unauthenticated file upload endpoints being exposed by default when the global RequireSigninView setting is disabled, which is the default configuration. Specifically, remote users can upload arbitrary files to the server via the /releases/attachments and /issues/attachments endpoints. This issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

Any remote attacker, without authentication, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary file uploads, enabling the Gogs instance to be abused as a public file host. This can lead to disk exhaustion through repeated uploads, unauthorized content hosting, or delivery of malware to other users or visitors.

The issue has been addressed in Gogs version 0.14.1, as detailed in the project's security advisory (GHSA-fc3h-92p8-h36f), release notes, associated pull request (#8128), and fixing commit (628216d5889fcb838c471f4754f09b935d9cd9f3). Administrators should upgrade to version 0.14.1 or later to mitigate the vulnerability, and enabling the RequireSigninView setting may provide partial protection in affected versions, though it is not enabled by default. CSRF tokens do not prevent exploitation due to same-origin cookie issuance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and…

more

/issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated arbitrary file upload in public-facing Gogs web application enables exploitation of public-facing app (T1190), ingress tool transfer via upload endpoints (T1105), and endpoint DoS through disk exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-0871Same product: Gogs Gogs
CVE-2024-13655Shared CWE-862
CVE-2025-10690Shared CWE-862
CVE-2025-54943Shared CWE-862
CVE-2025-5394Shared CWE-862
CVE-2025-1307Shared CWE-862
CVE-2024-54679Shared CWE-862
CVE-2015-10140Shared CWE-862
CVE-2024-52500Shared CWE-862
CVE-2025-27296Shared CWE-862

Affected Assets

gogs
gogs
≤ 0.14.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on file upload endpoints like /releases/attachments and /issues/attachments to block unauthenticated arbitrary file uploads.

prevent

Defines and prohibits unauthenticated actions such as file uploads, ensuring only explicitly permitted operations occur without identification or authentication.

prevent

Mandates secure configuration settings like enabling RequireSigninView to require authentication for upload endpoints in Gogs.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248581 OL 8 must require users to provide a password for privilege escalation. via CWE-862
  • V-252656 The OL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
RHEL 7 (2 rules)
  • V-251704 The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862
  • V-204429 The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation. via CWE-862
RHEL 8 (1 rule)
  • V-251712 The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. via CWE-862

References