CVE-2026-25119: Gogs has an Authentication Bypass via Unvalidated Reverse Proxy Headers

June 22, 2026

When ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, Gogs accepts the configured authentication header (default: X-WEBAUTH-USER) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can reach the Gogs service can forge this header to impersonate any user or trigger automatic account creation, completely bypassing authentication.

References

github.com/advisories/GHSA-w6j9-vw59-27wv
github.com/gogs/gogs/commit/0089c4c8e5b8d99eb6e5c8727f8f40d765f1f58a
github.com/gogs/gogs/pull/8264
github.com/gogs/gogs/releases/tag/v0.14.3
github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv
nvd.nist.gov/vuln/detail/CVE-2026-25119

Code Behaviors & Features

Detect and mitigate CVE-2026-25119 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →