CVE-2026-52799: Gogs Missing Authorization in Attachment Download

June 22, 2026

In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository.

References

github.com/advisories/GHSA-p9f5-h3rx-j5qw
github.com/gogs/gogs/commit/d3ca23f9f33d5710472a775d6dcd3a7bb128bb05
github.com/gogs/gogs/pull/8320
github.com/gogs/gogs/releases/tag/v0.14.3
github.com/gogs/gogs/security/advisories/GHSA-p9f5-h3rx-j5qw
nvd.nist.gov/vuln/detail/CVE-2026-52799

Code Behaviors & Features

Detect and mitigate CVE-2026-52799 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →