{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26196", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.813Z", "datePublished": "2026-03-05T18:49:19.540Z", "dateUpdated": "2026-03-06T18:08:07.473Z"}, "containers": {"cna": {"title": "Gogs: Access tokens get exposed through URL params in API requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-598", "lang": "en", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc"}, {"name": "https://github.com/gogs/gogs/pull/8177", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/pull/8177"}, {"name": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd"}, {"name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"version": "< 0.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:49:19.540Z"}, "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2."}], "source": {"advisory": "GHSA-x9p5-w45c-7ffc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:07:57.384250Z", "id": "CVE-2026-26196", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:08:07.473Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T18:07:57.384250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:08:01.799Z"}}], "cna": {"title": "Gogs: Access tokens get exposed through URL params in API requests", "source": {"advisory": "GHSA-x9p5-w45c-7ffc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "gogs", "product": "gogs", "versions": [{"status": "affected", "version": "< 0.14.2"}]}], "references": [{"url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc", "name": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gogs/gogs/pull/8177", "name": "https://github.com/gogs/gogs/pull/8177", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd", "name": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "name": "https://github.com/gogs/gogs/releases/tag/v0.14.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-598", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T18:49:19.540Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26196", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:08:07.473Z", "dateReserved": "2026-02-11T19:56:24.813Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T18:49:19.540Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EDBB1E3-57E4-4560-A44F-7C54FD21C8B9", "versionEndExcluding": "0.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2."}], "id": "CVE-2026-26196", "lastModified": "2026-03-05T22:04:11.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:04.080", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gogs/gogs/commit/295bfba72993c372e7b338438947d8e1a6bed8fd"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/gogs/gogs/pull/8177"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-598"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.14.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "gogs", "vendor": "gogs"}], "analysis": {"en": {"generated_at": "2026-04-16T12:14:30.070970+00:00", "value": {"mitigation_remediation": ["Upgrade Gogs to version 0.14.2 or later, where the API no longer accepts tokens in URL parameters.", "Search existing logs for exposed tokens and purge any sensitive entries immediately.", "Modify application configuration or code to enforce that tokens are passed exclusively via Authorization headers and not via URL query parameters."], "summary": {"action": "Immediate Patch", "impact": "Exposure of access tokens via URLs leading to credential leakage"}, "threat_synthesis": {"affected_systems": "The issue affects all versions of Gogs prior to 0.14.2. The vendor product is Gogs, an open\u2011source self\u2011hosted Git service, and the vulnerable components are the API endpoints that parse URL query parameters for authentication tokens.", "description_and_impact": "The vulnerability allows the Gogs API to accept access tokens in URL query parameters such as token and access_token. Tokens included in URLs can be recorded in web server logs, stored in browser history, and transmitted via HTTP referrer headers. An individual with access to these logs or the ability to intercept network traffic could retrieve valid tokens, granting unauthorized access to repositories and potentially sensitive data. Though the flaw does not provide direct code execution or server compromise, it facilitates credential disclosure and an elevated risk of account take\u2011over.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity, while the EPSS score of less than 1% suggests very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed public exploits. Attackers could exploit the flaw by crafting URLs that include tokens or by intercepting traffic that contains such URLs. This requires either access to server logs or the ability to observe HTTP requests, making the attack vector likely to be either local or remote through traffic interception."}}}}, "created": "2026-03-06T15:01:22.185050+00:00", "updated": "2026-04-16T12:15:35.096895+00:00", "vendors": ["gogs", "gogs$PRODUCT$gogs"]}