CVE-2026-25120 Overview
CVE-2026-25120 is an Authorization Bypass vulnerability in Gogs, an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls.
Critical Impact
Repository administrators can delete comments from any repository on the Gogs instance, potentially disrupting collaboration, removing important code review feedback, or covering malicious activity trails.
Affected Products
- Gogs versions 0.13.4 and below
- Self-hosted Git service deployments using vulnerable Gogs versions
Discovery Timeline
- 2026-02-19 - CVE-2026-25120 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-25120
Vulnerability Analysis
This vulnerability represents a classic Insecure Direct Object Reference (IDOR) flaw within the Gogs API. The DeleteComment function retrieves a comment by its ID without verifying that the comment belongs to the repository specified in the API request URL. The underlying Database function DeleteCommentByID performs no repository validation, creating a broken access control condition.
The exploitation path requires the attacker to have administrator privileges on at least one repository within the Gogs instance. From that position, they can craft API requests targeting comments in other repositories by simply changing the comment ID parameter, effectively bypassing the intended repository-level authorization controls.
Root Cause
The root cause is insufficient authorization validation in the comment deletion workflow. Specifically, the application fails to verify that the comment's parent issue belongs to the same repository context from which the deletion request originated. This is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where user-supplied input (the comment ID) directly controls which resource is accessed without proper ownership verification.
Attack Vector
An attacker with repository administrator privileges can exploit this vulnerability through network-accessible API endpoints. The attack involves:
- Authenticating to a Gogs instance as a repository administrator
- Identifying target comment IDs from other repositories (through enumeration or prior knowledge)
- Sending DeleteComment API requests with arbitrary comment IDs
- Successfully deleting comments from repositories outside the attacker's administrative scope
// Security patch adding repository ownership verification
// Source: https://github.com/gogs/gogs/commit/1b226ca48dc8b3e95cc1c41229d72819c960a1b7
return
}
+ issue, err := database.GetIssueByID(comment.IssueID)
+ if err != nil {
+ c.NotFoundOrError(err, "get issue by ID")
+ return
+ }
+
+ if issue.RepoID != c.Repo.Repository.ID {
+ c.NotFound()
+ return
+ }
+
if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
c.Status(http.StatusForbidden)
return
The patch adds critical ownership verification by fetching the issue associated with the comment and validating that the issue's repository ID matches the repository context of the current request.
Detection Methods for CVE-2026-25120
Indicators of Compromise
- Unusual API activity patterns showing DeleteComment requests with comment IDs not belonging to the specified repository
- Audit logs revealing repository administrators accessing or modifying resources outside their authorized repositories
- Unexpected deletion of issue comments, particularly in repositories where the deleting user has no administrative access
Detection Strategies
- Implement API request logging that captures the full context of DeleteComment operations, including the requesting user, target repository, and comment ID
- Create correlation rules that flag when a user's delete operations span multiple repositories they don't own
- Monitor for sequential or enumeration-style comment ID access patterns that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose audit logging for all API operations in Gogs
- Set up alerts for anomalous cross-repository administrative actions
- Review Gogs access logs for patterns of comment deletion activity across repository boundaries
How to Mitigate CVE-2026-25120
Immediate Actions Required
- Upgrade Gogs to version 0.14.0 or later which contains the security fix
- Audit existing repository administrator accounts and restrict privileges where possible
- Review audit logs for any suspicious cross-repository comment deletion activity
Patch Information
The vulnerability has been fixed in Gogs version 0.14.0. The patch implements proper repository ownership verification by checking that the comment's parent issue belongs to the repository specified in the API request. For detailed information, refer to the GitHub Security Advisory and the security patch commit.
Workarounds
- Restrict repository administrator privileges to only essential trusted users until the patch can be applied
- Implement network-level access controls to limit API endpoint exposure
- Consider placing Gogs behind an API gateway that can provide additional request validation and logging
# Configuration example - Update Gogs to patched version
# Check current Gogs version
./gogs --version
# Backup your data before upgrading
tar -czvf gogs-backup.tar.gz /path/to/gogs-data
# Download and install Gogs 0.14.0 or later
wget https://github.com/gogs/gogs/releases/download/v0.14.0/gogs_0.14.0_linux_amd64.tar.gz
tar -xzvf gogs_0.14.0_linux_amd64.tar.gz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
