CVE-2026-26196: Sensitive API Token Exposure via URL Query Parameters in Gogs
Vulnerability ID: CVE-2026-26196
CVSS Score: 6.9
Published: 2026-03-05
Gogs, a self-hosted Git service, contained a vulnerability in its API authentication mechanism prior to version 0.14.2. The application permitted the transmission of sensitive authentication tokens via URL query parameters (token and access_token). This architectural flaw resulted in the potential leakage of credentials to server access logs, proxy logs, browser history, and HTTP Referer headers, exposing users to account takeover risks.
TL;DR
Gogs versions < 0.14.2 allow API authentication via URL query strings. This exposes secret tokens to server logs and intermediaries. The fix in 0.14.2 removes query parameter support, enforcing the use of the Authorization header. Users must upgrade and rotate all existing tokens.
Technical Details
- CVE ID: CVE-2026-26196
- CVSS v4.0: 6.9 (Medium)
- CWE ID: CWE-598
- Impact: Information Disclosure (Credential Leak)
- Attack Vector: Network (Passive)
- Patch Commit: 295bfba7299
Affected Systems
- Gogs (Self-Hosted Git Service)
-
Gogs: < 0.14.2 (Fixed in:
0.14.2)
Code Analysis
Commit: 295bfba
Remove token query parameter handling from auth.go
Exploit Details
- GHSA: GitHub Security Advisory Details
Mitigation Strategies
- Disable query parameter authentication (Software Upgrade)
- Enforce Authorization header usage
- Sanitize server logs
Remediation Steps:
- Upgrade Gogs to version 0.14.2 or later.
- Revoke all existing Personal Access Tokens (PATs) globally.
- Instruct users to generate new tokens and update their API clients to use the 'Authorization: token ' header.
- Audit and scrub web server access logs (Nginx, Apache, Traefik) for historical query strings containing 'token='.
References
Read the full report for CVE-2026-26196 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)