GHSA-4565-r4x7-hg8jMedium

Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.

Vulnerable Code

In internal/database/repo_collaboration.go, line 129:

func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
    // Discard invalid input
    if mode <= AccessModeNone || mode > AccessModeOwner {
        return nil
    }

AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.

The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:

func ChangeCollaborationAccessMode(c *context.Context) {
    if err := c.Repo.Repository.ChangeCollaborationAccessMode(
        c.QueryInt64("uid"),
        database.AccessMode(c.QueryInt("mode"))); err != nil {

This allows an admin collaborator to POST mode=4 and escalate to owner.

Impact

A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to:

  • Delete the repository
  • Transfer repository ownership to another user
  • Erase wiki data
  • Perform all other owner-only operations

The access table is also updated (line 181), so the escalated permissions persist across sessions.

Contrast

The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.

Steps to Reproduce

  1. User A creates a private repository
  2. User A adds User B as a collaborator with Admin access (mode=3)
  3. User B logs in and navigates to the repository settings collaboration page
  4. User B sends a POST request:
    POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4
    
  5. User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons

Suggested Fix

Change the validation in internal/database/repo_collaboration.go line 129 from:

if mode <= AccessModeNone || mode > AccessModeOwner {

to:

if mode <= AccessModeNone || mode >= AccessModeOwner {

🎯 Affected products1

  • go/gogs.io/gogs:< 0.14.3

🔗 References (5)