CVE-2026-26196 MEDIUM

CVE-2026-26196: Gogs: Access tokens get exposed through URL params in API requests

Vendor Gogs
Product gogs
Weakness CWE-598
Published March 5, 2026
Last update March 6, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 6, 2026 Record updated