CVE-2026-25242: Unauthenticated File Upload in Gogs

February 17, 2026 (updated February 19, 2026)

Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance.

References

github.com/advisories/GHSA-fc3h-92p8-h36f
github.com/gogs/gogs
github.com/gogs/gogs/commit/628216d5889fcb838c471f4754f09b935d9cd9f3
github.com/gogs/gogs/pull/8128
github.com/gogs/gogs/releases/tag/v0.14.1
github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f
nvd.nist.gov/vuln/detail/CVE-2026-25242

Code Behaviors & Features

Detect and mitigate CVE-2026-25242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →