CVE-2026-25242
Published: 19 February 2026
Summary
CVE-2026-25242 is a critical-severity Missing Authorization (CWE-862) vulnerability in Gogs Gogs. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on file upload endpoints like /releases/attachments and /issues/attachments to block unauthenticated arbitrary file uploads.
Defines and prohibits unauthenticated actions such as file uploads, ensuring only explicitly permitted operations occur without identification or authentication.
Mandates secure configuration settings like enabling RequireSigninView to require authentication for upload endpoints in Gogs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload in public-facing Gogs web application enables exploitation of public-facing app (T1190), ingress tool transfer via upload endpoints (T1105), and endpoint DoS through disk exhaustion (T1499.004).
NVD Description
Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and…
more
/issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
Deeper analysisAI
CVE-2026-25242 affects Gogs, an open source self-hosted Git service, in versions 0.13.4 and below. The vulnerability stems from unauthenticated file upload endpoints being exposed by default when the global RequireSigninView setting is disabled, which is the default configuration. Specifically, remote users can upload arbitrary files to the server via the /releases/attachments and /issues/attachments endpoints. This issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).
Any remote attacker, without authentication, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary file uploads, enabling the Gogs instance to be abused as a public file host. This can lead to disk exhaustion through repeated uploads, unauthorized content hosting, or delivery of malware to other users or visitors.
The issue has been addressed in Gogs version 0.14.1, as detailed in the project's security advisory (GHSA-fc3h-92p8-h36f), release notes, associated pull request (#8128), and fixing commit (628216d5889fcb838c471f4754f09b935d9cd9f3). Administrators should upgrade to version 0.14.1 or later to mitigate the vulnerability, and enabling the RequireSigninView setting may provide partial protection in affected versions, though it is not enabled by default. CSRF tokens do not prevent exploitation due to same-origin cookie issuance.
Details
- CWE(s)