Detections
Analytics
CVE-2026-25120
low
Description
Tenable Research has identified and responsibly disclosed an Insecure Direct Object References (IDOR) vulnerability to Gogs. The POST `/:owner/:repo/issues/comments/:id/delete` endpoint does not verify that the comment belongs to the repository specified in the URL.This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls.The vulnerability exists due to insufficient authorization validation in the comment deletion flow:1. Missing Repository Ownership Check in DeleteCommentIn `internal/route/repo/issue.go`, the function retrieves a comment by ID without verifying repository ownership:func DeleteComment(c *context.Context) { comment, err := database.GetCommentByID(c.ParamsInt64(":id")) if err != nil { c.NotFoundOrError(err, "get comment by ID") return } // Only checks if user is comment poster OR admin of the CURRENT repo (from URL) if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() { c.NotFound() return } else if comment.Type != database.CommentTypeComment { c.Status(http.StatusNoContent) return } // No verification that comment.IssueID belongs to c.Repo.Repository.ID! if err = database.DeleteCommentByID(c.User, comment.ID); err != nil { c.Error(err, "delete comment by ID") return } c.Status(http.StatusOK) }2. Database Layer Performs No AuthorizationIn `internal/database/comment.go`, the deletion function performs no repository validation:func DeleteCommentByID(doer *User, id int64) error { comment, err := GetCommentByID(id) if err != nil { if IsErrCommentNotExist(err) { return nil } return err } // Directly deletes without checking repository ownership sess := x.NewSession() defer sess.Close() if err = sess.Begin(); err != nil { return err } if _, err = sess.ID(comment.ID).Delete(new(Comment)); err != nil { // ... } // ... }