CVE-2026-23632: Gogs user can update repository content with read-only permission

Vulnerability Description

The endpoint PUT /repos/:owner/:repo/contents/* does not require write permissions and allows access with read permission only via repoAssignment().

After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in:

  • Commit creation
  • Execution of git push

As a result, a token with read-only permission can be used to modify repository contents.

Attack Prerequisites

  • Possession of a valid access token
  • Read permission on the target repository (public repository or collaborator with read access)

Attack Scenario

  1. The attacker accesses the target repository with a read-only token
  2. The attacker sends a PUT /contents request to update an arbitrary file
  3. The server creates a commit and performs a git push on behalf of the attacker

Potential Impact

  • Source code tampering
  • Injection of backdoors
  • Compromise of release artifacts and distributed packages

References

Code Behaviors & Features

Detect and mitigate CVE-2026-23632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →