CVE-2026-47267: Gogs has SSRF in webhook deliveries

June 22, 2026

The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.

This was already communicated in the initial report but it looks like there was a bit of a miscommunication.

References

github.com/advisories/GHSA-c4v7-xg93-qf8g
github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018
github.com/gogs/gogs/pull/8263
github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g
nvd.nist.gov/vuln/detail/CVE-2026-47267

Code Behaviors & Features

Detect and mitigate CVE-2026-47267 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →