5.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-25120

CVE-2026-25120: Gogs Allows Cross-Repository Comment Deletion via DeleteComment

IDOR: Cross-Repository Comment Deletion via DeleteComment

Summary

The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls.

Vulnerability Details

| Field | Value | |-------|-------| | Affected File | internal/route/repo/issue.go | | Affected Function | DeleteComment (lines 955-968) | | Secondary File | internal/database/comment.go | | Secondary Function | DeleteCommentByID (lines 505-520) |

Root Cause

The vulnerability exists due to insufficient authorization validation in the comment deletion flow:

1. Missing Repository Ownership Check in DeleteComment

In internal/route/repo/issue.go, the function retrieves a comment by ID without verifying repository ownership:

func DeleteComment(c *context.Context) {
    comment, err := database.GetCommentByID(c.ParamsInt64(":id"))
    if err != nil {
        c.NotFoundOrError(err, "get comment by ID")
        return
    }

    // Only checks if user is comment poster OR admin of the CURRENT repo (from URL)
    if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() {
        c.NotFound()
        return
    } else if comment.Type != database.CommentTypeComment {
        c.Status(http.StatusNoContent)
        return
    }

    // No verification that comment.IssueID belongs to c.Repo.Repository.ID!
    if err = database.DeleteCommentByID(c.User, comment.ID); err != nil {
        c.Error(err, "delete comment by ID")
        return
    }

    c.Status(http.StatusOK)
}

2. Database Layer Performs No Authorization

In internal/database/comment.go, the deletion function performs no repository validation:

func DeleteCommentByID(doer *User, id int64) error {
    comment, err := GetCommentByID(id)
    if err != nil {
        if IsErrCommentNotExist(err) {
            return nil
        }
        return err
    }

    // Directly deletes without checking repository ownership
    sess := x.NewSession()
    defer sess.Close()
    if err = sess.Begin(); err != nil {
        return err
    }

    if _, err = sess.ID(comment.ID).Delete(new(Comment)); err != nil {
        // ...
    }
    // ...
}

Proof of Concept

Prerequisites

Two users: Alice (attacker) and Bob (victim)
Alice is admin of alice/attacker-repo
Bob has created an issue with a comment on bob/victim-repo
Attacker needs to obtain the comment ID from victim's repository (e.g., ID: 42)

HTTP Request

POST /alice/attacker-repo/issues/comments/42/delete HTTP/1.1
Host: gogs.example.com
Cookie: i_like_gogs=<alice_session_token>

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-25120

CVE-2026-25120:

5.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gogs.io/gogs	go	<= 0.13.4	0.14.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) in the Gogs application, specifically in how comment deletions are handled. The root cause is a missing authorization check in the DeleteComment function (and its API equivalent DeleteIssueComment).

When a user attempts to delete a comment, the application correctly checks if the user is an administrator of the repository specified in the request URL. However, it fails to verify that the comment being deleted actually belongs to that repository. The application fetches the comment from the database using only its ID.

An attacker who is an administrator of one repository (e.g., attacker/repo) can exploit this by sending a request to delete a comment from a victim's repository (e.g., victim/repo). The attacker crafts a POST request to their own repository's endpoint but uses the ID of a comment from the victim's repository. The application's flawed logic approves the request because the attacker is an admin of attacker/repo, and it proceeds to delete the comment from victim/repo without proper ownership verification.

The patch fixes this by adding a crucial validation step. It first fetches the issue to which the comment belongs, and then it compares the issue's repository ID with the repository ID from the request context. If they do not match, the request is denied, effectively closing the IDOR vulnerability.

Vulnerable functions

DeleteComment

internal/route/repo/issue.go

The `DeleteComment` function is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability. Before the patch, the function retrieved a comment by its ID from the request parameters but did not verify that this comment belonged to the repository specified in the URL. The function only checked if the user making the request was an administrator of the repository in the URL, not the repository where the comment was actually posted. This allowed an administrator of any repository to delete comments from any other repository on the platform.

DeleteIssueComment

internal/route/api/v1/repo/issue_comment.go

Similar to `DeleteComment`, the `DeleteIssueComment` function for the v1 API was also vulnerable. It failed to validate that the comment being deleted belonged to the repository specified in the API request. This allowed a repository administrator to delete comments from other repositories through the API, leading to the same cross-repository data modification vulnerability.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-25120: Gogs Allows Cross-Repository Comment Deletion via DeleteComment

IDOR: Cross-Repository Comment Deletion via DeleteComment

Summary

Vulnerability Details

Root Cause

1. Missing Repository Ownership Check in DeleteComment

2. Database Layer Performs No Authorization

Proof of Concept

Prerequisites

HTTP Request

CVE-2026-25120:

5.1

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-25120: Gogs Allows Cross-Repository Comment Deletion via DeleteComment

IDOR: Cross-Repository Comment Deletion via DeleteComment

Summary

Vulnerability Details

Root Cause

1. Missing Repository Ownership Check in DeleteComment

2. Database Layer Performs No Authorization

Proof of Concept

Prerequisites

HTTP Request

Technical Details

5.1

5.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI