CVE-2026-52815

Vulnerability Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.

Related Weaknesses (CWE)

References

• https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56
• https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56

FAQ

What is CVE-2026-52815?

CVE-2026-52815 is a documented vulnerability. Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1...

How severe is CVE-2026-52815?

CVSS scoring is not yet available for CVE-2026-52815. Check NVD for updates.

Is there a patch for CVE-2026-52815?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.