Home

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.

PUBLISHED Reserved 2026-06-08 | Published 2026-06-24 | Updated 2026-06-26 | Assigner GitHub_M




MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-324: Use of a Key Past its Expiration Date

CWE-613: Insufficient Session Expiration

Product status

< 0.14.3
affected

References

github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g exploit

github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g

github.com/gogs/gogs/releases/tag/v0.14.3

cve.org (CVE-2026-52809)

nvd.nist.gov (CVE-2026-52809)

Download JSON