关键信息 漏洞概述 CVE ID: CVE-2026-25232 Severity: Critical GitHub 安全警示: GHSA-2c6v-8r3v-gh6p Published: Last week by 影响范围与修复 Affected versions: <= 0.13.4 Patched versions: 0.14.0 漏洞详情 Summary: - An access control bypass vulnerability exists in the Gogs web interface that allows any collaborator with Write permissions to delete protected branches, including the default branch, by sending a direct POST request. - This enables privilege escalation from Writer to Admin level, allowing low-privilege users to perform dangerous operations limited to admins. - While Git Hook prevents protected branch deletion via SSH push, the web interface deletion does not trigger Git Hooks. Root Cause: - The function does not check if the branch is protected. - The UI layer correctly checks the branch protection status, but an attacker can directly construct POST requests to bypass UI restrictions. Vulnerable Code Location: - File: - Function: (lines 110-155) - Route Configuration: Correct Implementation: - A check must be added to see if the branch is protected before deletion. 漏洞利用 Proof-of-Concept (PoC) 影响和风险 Bypass branch protection mechanism: Core function of protected branches to prevent deletion undermined. Delete default branch: Can cause repository inaccessibility (git clone/pull failures). Bypass code review: After deleting a protected branch, can push a new branch bypassing Pull Request. Privilege escalation: Writer users can perform operations that should only be allowed for Admins.