5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-25229

CVE-2026-25229: Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs

Summary

A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks.

Details

The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation:

Vulnerable Code (internal/route/repo/issue.go:1040-1054):

func UpdateLabel(c *context.Context, f form.CreateLabel) {
    l, err := database.GetLabelByID(f.ID)  // ❌ No repository validation
    if err != nil {
        c.NotFoundOrError(err, "get label by ID")
        return
    }

    // ❌ Missing validation: l.RepoID != c.Repo.Repository.ID
    l.Name = f.Title
    l.Color = f.Color
    if err := database.UpdateLabel(l); err != nil {
        c.Error(err, "update label")
        return
    }
    c.RawRedirect(c.Repo.MakeURL("labels"))
}

Root Cause:

The function calls database.GetLabelByID(f.ID) which internally passes repoID=0 to the ORM layer
According to code comments in internal/database/issue_label.go:147-166, passing repoID=0 causes the ORM to ignore repository restrictions
No validation checks whether l.RepoID == c.Repo.Repository.ID before updating
The middleware reqRepoWriter() only validates write access to the repository in the URL path, not the label's actual repository

Inconsistency with Other Functions:

NewLabel: Correctly sets RepoID = c.Repo.Repository.ID
DeleteLabel: Correctly uses database.DeleteLabel(c.Repo.Repository.ID, id)
API EditLabel: Correctly uses database.GetLabelOfRepoByID(c.Repo.Repository.ID, id)

Only UpdateLabel in Web UI uses the vulnerable pattern

PoC

Prerequisites:

Two user accounts: Alice (attacker) and Bob (victim)
alice has written access to repo-a
Bob owns repo-b with labels

Step 1: Identify Target Label ID

Login as bob, navigate to bob/repo-b/labels
Open browser DevTools (F12) → Network tab
Click edit on any label
Observe the form data: id=<LABEL_ID>
Example: id=1

Step 2: Execute Attack

# Login as alice, get session cookie
# Open DevTools → Application → Cookies → i_like_gogs
# Copy the cookie value

# Send malicious request
curl -X POST "http://localhost:3000/alice/repo-a/labels/edit" \
  -H "Cookie: i_like_gogs=<ALICE_SESSION_COOKIE>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "id=1&title=HACKED-BY-ALICE&color=%23000000"

# Expected response: 302 Found (redirect)

Step 3: Verify Impact

Login as bob
Navigate to bob/repo-b/labels
Observe: Label "P0-Critical" is now "HACKED-BY-ALICE" with black color

Impact

Issue Classification Disruption: Modify critical labels (e.g., "P0-Critical" → "P3-Low") causing urgent issues to be deprioritized
Security Issue Concealment: Change "security" labels to "documentation" to hide vulnerability reports from security teams
Workflow** Sabotage**: Alter labels used in CI/CD automation, breaking deployment pipelines
Mass Disruption: Batch modifies all labels across multiple repositories using ID enumeration

Recommended Fix:

func UpdateLabel(c *context.Context, f form.CreateLabel) {
    l, err := database.GetLabelOfRepoByID(c.Repo.Repository.ID, f.ID)
    if err != nil {
        c.NotFoundOrError(err, "get label of repository by ID")
        return
    }
    // Now label ownership is validated at database layer
    l.Name = f.Title
    l.Color = f.Color
    if err := database.UpdateLabel(l); err != nil {
        c.Error(err, "update label")
        return
    }
    c.RawRedirect(c.Repo.MakeURL("labels"))
}

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-25229

CVE-2026-25229:

5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gogs.io/gogs	go	<= 0.13.4	0.14.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly identified the UpdateLabel function in internal/route/repo/issue.go as the source of the authorization bypass. The analysis of the provided patch confirms this. The patch replaces the insecure call to database.GetLabelByID(f.ID) with database.GetLabelOfRepoByID(c.Repo.Repository.ID, f.ID). This change ensures that the label being updated belongs to the repository the user is authorized to modify, effectively closing the access control gap. The commit message security: fix cross-repository label modification vulnerability directly links the code change to the resolution of this specific security issue.

Vulnerable functions

UpdateLabel

internal/route/repo/issue.go

The `UpdateLabel` function is vulnerable to an authorization bypass. It retrieves a label using `database.GetLabelByID`, which only uses the label ID for the lookup and does not validate if the label belongs to the repository specified in the request context. This allows an authenticated user with write permissions on any repository to modify labels in other repositories by sending a crafted request with the target label's ID.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-25229: Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs

Summary

Details

PoC

Impact

CVE-2026-25229:

5.3

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

5.3

5.3

CVE-2026-25229: Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs

Summary

Details

PoC

Impact

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI