The Gogs API still accepts tokens in URL parameters such as token and access_token, which can leak through logs, browser history, and referrers.
A static review shows that the API still checks tokens in the URL query before looking at headers:
c.Query("token")c.Query("access_token")Authorization header when the query token is emptyToken-authenticated requests are accepted by API routes through c.IsTokenAuth checks:
- internal/route/api/v1/api.go
If tokens are sent in URLs such as /api/v1/user?token=..., they can leak in logs, browser or shell history, and referrer headers, and can be reused until revoked.
A fix is available at https://github.com/gogs/gogs/releases/tag/v0.14.2.
| Score | Percentile |
|---|---|
| 0.04% | 13.11% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 3.1 | — |
|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-x9p5-w45c-7ffc ↗ |
| CVE | CVE-2026-26196 ↗ |
| CWE id | Name |
|---|---|
| CWE-598 | Use of GET Request Method With Sensitive Query Strings |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | gogs.io/gogs | <= 0.13.3 | — | — |