CVE-2025-64175 HIGH

CVE-2025-64175: Gogs Vulnerable to 2FA Bypass via Recovery Code

Vendor Gogs
Product gogs
Weakness CWE-287 · Improper authentication
Published February 6, 2026
Last update February 26, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 26, 2026 Record updated