CVE-2026-25921 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: March 6, 2026
Gogs - Broken Access Control
Overview
Gogs < 0.14.2 contains a broken access control vulnerability caused by overwritable LFS objects across different repositories, letting malicious attackers overwrite LFS objects, exploit requires no special privileges.
Severity & Score
Impact
Attackers can maliciously overwrite LFS objects across repositories, enabling supply-chain attacks and compromising code integrity.
Mitigation
Update to version 0.14.2 or later.
References
Social Media Activity(1 post)
Critical Gogs Vulnerability Enables Silent Supply-Chain Attacks via LFS Overwrites Gogs patched a critical vulnerability (CVE-2026-25921) that allows unauthenticated attackers to overwrite Git Large File Storage (LFS) objects across repositories, enabling silent supply-chain attacks. **If you are using Gogs, this is important, and if you have public access or registration to Gogs, it's urgent. Attackers can exploit this flaw to inject their malicious versions of binaries. You should not only update to version 0.14.2 ASAP and verify the integrity of your existing large files to ensure they haven't been replaced with malicious versions.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/critical-gogs-vulnerability-enables-silent-supply-chain-attacks-via-lfs-overwrites-g-z-x-s-r/gD2P6Ple2L
View original postRelated Resources
Details
- CVE ID
- CVE-2026-25921
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 2.3%
- Social Posts
- 1
CWE
- CWE-345
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L