VDB

ANCHORE-2025-64175

ANCHORE-2025-64175 PUBLISHED

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

Affected Products

VendorProductVersions
gogsgogs0, 0, 0

Timeline

  • Feb 6, 2026 CVE Published
  • Feb 7, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›