All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-52799
HIGHpublished 2026-06-24 21:16 UTC · 4 days ago · modified 2026-06-25 14:19 UTC
7.5
CVSS / 10
// description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRE_SIGNIN_VIEW = false, we confirmed that an unauthenticated user can download attachments belonging to a private repository. This vulnerability is fixed in 0.14.3.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
// weaknesses (CWE)
- CWE-639
- CWE-862