CVE-2026-52815

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 24, 2026

Vendor unknown

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.

References

https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56