{"api_version":"1","generated_at":"2026-06-25T16:27:49+00:00","cve":"CVE-2026-52809","urls":{"html":"https://cve.report/CVE-2026-52809","api":"https://cve.report/api/cve/CVE-2026-52809.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52809","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52809"},"summary":{"title":"Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES","description":"Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-24 21:16:56","updated_at":"2026-06-25 14:19:40"},"problem_types":["CWE-324","CWE-613","CWE-324 CWE-324: Use of a Key Past its Expiration Date","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g","name":"https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/gogs/gogs/releases/tag/v0.14.3","name":"https://github.com/gogs/gogs/releases/tag/v0.14.3","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52809","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52809","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"gogs","product":"gogs","version":"affected < 0.14.3","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-52809","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-25T13:11:10.316058Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-25T13:11:33.158Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"gogs","vendor":"gogs","versions":[{"status":"affected","version":"< 0.14.3"}]}],"descriptions":[{"lang":"en","value":"Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-324","description":"CWE-324: Use of a Key Past its Expiration Date","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-613","description":"CWE-613: Insufficient Session Expiration","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T20:29:29.701Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g","tags":["x_refsource_CONFIRM"],"url":"https://github.com/gogs/gogs/security/advisories/GHSA-5c3f-6486-3g7g"},{"name":"https://github.com/gogs/gogs/releases/tag/v0.14.3","tags":["x_refsource_MISC"],"url":"https://github.com/gogs/gogs/releases/tag/v0.14.3"}],"source":{"advisory":"GHSA-5c3f-6486-3g7g","discovery":"UNKNOWN"},"title":"Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-52809","datePublished":"2026-06-24T20:29:29.701Z","dateReserved":"2026-06-08T18:02:19.732Z","dateUpdated":"2026-06-25T13:11:33.158Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 21:16:56","lastModifiedDate":"2026-06-25 14:19:40","problem_types":["CWE-324","CWE-613","CWE-324 CWE-324: Use of a Key Past its Expiration Date","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-25T13:11:10.316058Z","id":"CVE-2026-52809","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52809","Ordinal":"1","Title":"Gogs: Password-reset tokens use account-activation lifetime, ign","CVE":"CVE-2026-52809","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52809","Ordinal":"1","NoteData":"Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives (the account-activation lifetime), not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making RESET_PASSWORD_CODE_LIVES irrelevant to actual enforcement. When an administrator configures a shorter reset window (e.g., 10 minutes) for compliance or security reasons, reset tokens remain exploitable for the full activation lifetime instead, while the reset email falsely advertises the shorter expiry. This vulnerability is fixed in 0.14.3.","Type":"Description","Title":"Gogs: Password-reset tokens use account-activation lifetime, ign"}]}}}