CVE-2025-65852: Gogs has authorization bypass in repository deletion API

February 6, 2026

The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.

This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().

References

github.com/advisories/GHSA-rjv5-9px2-fqw6
github.com/gogs/gogs
github.com/gogs/gogs/commit/961a79e8f9f2b3190ea804bcf635e4b43b123272
github.com/gogs/gogs/releases/tag/v0.13.4
github.com/gogs/gogs/security/advisories/GHSA-rjv5-9px2-fqw6
nvd.nist.gov/vuln/detail/CVE-2025-65852

Code Behaviors & Features

Detect and mitigate CVE-2025-65852 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →