Listen to this Post
This vulnerability, identified as CVE-2026-52801, is an unauthenticated information disclosure flaw present in all current versions of the Gogs self-hosted Git service. The root cause lies in the API route configuration for the `/api/v1/orgs/:orgname/teams` endpoint, which lacks the required authentication middleware.
Normally, Gogs API routes are protected by a `reqToken()` middleware that validates the user’s authentication token. However, in the file `internal/route/api/v1/api.go` at lines 380-385, the route group for organization teams is missing this critical middleware. Instead, it only uses orgAssignment(true), a middleware that loads the organization object based on the `:orgname` parameter but performs no authentication checks whatsoever.
The `listTeams()` handler, located in `internal/route/api/v1/org_team.go` at line 8, then executes without any permission verification. It queries the database for all teams belonging to the loaded organization and returns their details unconditionally. This is in stark contrast to other organization endpoints which correctly enforce authentication by including the `reqToken()` middleware in their route definitions.
An unauthenticated attacker can exploit this by sending a simple `GET` request to the vulnerable endpoint. The response will contain a full list of teams for the specified organization, including sensitive details like team IDs, names, descriptions, and permission levels. This exposure allows an attacker to map an organization’s internal structure, identify privileged teams (like “Owners” or “Admins”), and gather information that could be used for further, more targeted attacks.
DailyCVE Form
Platform: Gogs
Version: All current
Vulnerability: Info Disclosure
Severity: Medium
date: 2026-06-23
Prediction: 2026-07-15
What Undercode Say
Analytics can be performed to confirm the vulnerability by sending a curl request to the target endpoint and observing the JSON response. A successful exploit will return a `200 OK` status with a list of team objects.
List all teams in an organization without authentication
curl -s "http://TARGET:3000/api/v1/orgs/myorg/teams" | python3 -m json.tool
Example of a successful response exposing sensitive information
[
{
"id": 1,
"name": "Owners",
"description": "Administrators team",
"permission": "owner"
},
{
"id": 2,
"name": "backend-devs",
"description": "Backend development team",
"permission": "write"
}
]
Exploit
Exploitation is trivial and requires no special tools or privileges. An attacker only needs to know or guess the name of an organization (:orgname) hosted on the target Gogs instance. By sending an unauthenticated `GET` request to /api/v1/orgs/{orgname}/teams, the attacker will receive a comprehensive list of all teams within that organization.
Protection
The primary fix is to add the `reqToken()` middleware to the vulnerable route group in internal/route/api/v1/api.go. This will ensure that all requests to the `/api/v1/orgs/:orgname/teams` endpoint are authenticated.
// Suggested fix: Add reqToken() middleware
m.Group("/:orgname", func() {
m.Get("/teams", org.ListTeams)
}, reqToken(), orgAssignment(true))
Furthermore, as a defense-in-depth measure, the `ListTeams()` handler itself should be modified to verify that the authenticated user is a member of the target organization before returning any team data.
Impact
An unauthenticated attacker can exploit this vulnerability to:
- Enumerate all teams within any organization, including private or internal ones.
- Discover team permission levels (read, write, admin, owner), which helps in identifying high-value targets for privilege escalation.
- Map the organizational structure to understand team hierarchies and relationships.
- Harvest team IDs for potential use in other API calls that might have weaker or inconsistent authorization checks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
