CVE-2026-25921 - Vulnerability Analysis

Overview

Gogs < 0.14.2 contains a broken access control vulnerability caused by overwritable LFS objects across different repositories, letting malicious attackers overwrite LFS objects, exploit requires no special privileges.

Severity & Score

Impact

Attackers can maliciously overwrite LFS objects across repositories, enabling supply-chain attacks and compromising code integrity.

Mitigation

Update to version 0.14.2 or later.

References

• https://github.com/gogs/gogs/commit/81ee8836445ac888d99da8b652be7d5cbc5c4d5c
• https://github.com/gogs/gogs/pull/8166
• https://github.com/gogs/gogs/releases/tag/v0.14.2
• https://github.com/gogs/gogs/security/advisories/GHSA-cj4v-437j-jq4c

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner