CVE-2026-26196: Gogs: Access tokens get exposed through URL params in API requests

March 5, 2026 (updated March 6, 2026)

The Gogs API still accepts tokens in URL parameters such as token and access_token, which can leak through logs, browser history, and referrers.

References

github.com/advisories/GHSA-x9p5-w45c-7ffc
github.com/gogs/gogs
github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd
github.com/gogs/gogs/pull/8177
github.com/gogs/gogs/releases/tag/v0.14.2
github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc
nvd.nist.gov/vuln/detail/CVE-2026-26196

Code Behaviors & Features

Detect and mitigate CVE-2026-26196 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →