Gogs: Critical Gogs Vulnerability Allows Attackers to Silently Overwrite Large File Storage Objects

Critical Gogs Vulnerability (CVE-2026-25921) Exposes Self-Hosted Git Services to Supply-Chain Attacks

A severe security flaw in Gogs, a popular open-source self-hosted Git service, has been identified, allowing unauthenticated attackers to silently overwrite Git Large File Storage (LFS) objects across repositories. Tracked as CVE-2026-25921 (CVSS 9.3), the vulnerability affects Gogs versions 0.14.1 and earlier and could enable stealthy supply-chain attacks by replacing legitimate files with malicious payloads, such as backdoored binaries or scripts.

Vulnerability Details

The flaw stems from CWE-345 (Insufficient Verification of Data Authenticity) in Gogs’ LFS storage architecture. Key issues include:

• No repository-level isolation: LFS objects are stored in a global directory, with paths determined solely by the Object ID (OID), allowing cross-repository manipulation.
• Missing hash verification: Gogs does not validate whether uploaded files match their declared SHA-256 hash, enabling attackers to substitute files without detection.

Impact & Risks

Exploiting this vulnerability could allow attackers to:

• Replace critical project files (e.g., datasets, compiled binaries) with malicious versions.
• Compromise software supply chains by injecting backdoors into repositories.
• Evade detection, as the attack does not require authentication.

Mitigation & Patch

The vulnerability was disclosed by security researcher zjuchenyuan via a GitHub advisory. Gogs maintainers have released version 0.14.2, which enforces strict hash verification for LFS objects. Recommended actions:

• Upgrade to Gogs 0.14.2 or later immediately.
• Audit existing LFS objects to ensure no unauthorized modifications occurred before patching.
• Restrict access or disable public registrations if patching is delayed.

The flaw underscores the risks of unverified file storage in self-hosted Git services, particularly for organizations managing sensitive or widely distributed codebases.

Source: https://cyberpress.org/gogs-vulnerability-2/

GOG cybersecurity rating report: https://www.rankiteo.com/company/gogcom

"id": "GOG1773146209",
"linkid": "gogcom",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Organizations using Gogs '
                                              'versions 0.14.1 and earlier',
                        'industry': 'Software Development',
                        'name': 'Gogs',
                        'type': 'Open-source self-hosted Git service'}],
 'attack_vector': 'Unauthenticated file overwrite via LFS objects',
 'data_breach': {'file_types_exposed': ['LFS objects'],
                 'sensitivity_of_data': 'High (potential for malicious '
                                        'payloads)',
                 'type_of_data_compromised': 'Repository files (e.g., '
                                             'datasets, compiled binaries, '
                                             'scripts)'},
 'description': 'A severe security flaw in Gogs, a popular open-source '
                'self-hosted Git service, has been identified, allowing '
                'unauthenticated attackers to silently overwrite Git Large '
                'File Storage (LFS) objects across repositories. The '
                'vulnerability could enable stealthy supply-chain attacks by '
                'replacing legitimate files with malicious payloads, such as '
                'backdoored binaries or scripts.',
 'impact': {'brand_reputation_impact': 'Risk of reputational damage due to '
                                       'supply-chain compromise',
            'operational_impact': 'Potential compromise of software supply '
                                  'chains, injection of backdoors into '
                                  'repositories',
            'systems_affected': 'Gogs versions 0.14.1 and earlier'},
 'lessons_learned': 'Risks of unverified file storage in self-hosted Git '
                    'services, importance of repository-level isolation and '
                    'hash verification for LFS objects',
 'post_incident_analysis': {'corrective_actions': 'Enforce strict hash '
                                                  'verification for LFS '
                                                  'objects, release patched '
                                                  'version (0.14.2)',
                            'root_causes': 'No repository-level isolation for '
                                           'LFS objects, missing hash '
                                           'verification for uploaded files'},
 'recommendations': ['Upgrade to Gogs 0.14.2 or later immediately',
                     'Audit existing LFS objects for unauthorized '
                     'modifications',
                     'Restrict access or disable public registrations if '
                     'patching is delayed'],
 'references': [{'source': 'GitHub Advisory'}],
 'response': {'containment_measures': 'Upgrade to Gogs 0.14.2 or later, audit '
                                      'existing LFS objects, restrict access '
                                      'or disable public registrations if '
                                      'patching is delayed',
              'remediation_measures': 'Enforce strict hash verification for '
                                      'LFS objects in Gogs 0.14.2'},
 'title': 'Critical Gogs Vulnerability (CVE-2026-25921) Exposes Self-Hosted '
          'Git Services to Supply-Chain Attacks',
 'type': 'Supply-Chain Attack',
 'vulnerability_exploited': 'CVE-2026-25921 (CWE-345: Insufficient '
                            'Verification of Data Authenticity)'}