Do Son 
- Product: gogs.io/gogs (go)
- Vulnerabilities: 3 flaws (CVE-2026-52813, CVE-2026-52806, CVE-2026-52811)
- Highest severity: 10.0 (Critical · CVSSv3)
- Worst impact: Path Traversal in organization name results in RCE through Git hooks
- Status: No confirmed exploitation yet; patches available
- Action: Update to 0.14.3 now
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-52813 | 10.0 | CWE-23 | Not exploited |
| CVE-2026-52806 | 9.9 | CWE-77 | Not exploited |
| CVE-2026-52811 | 9 | UploadRepoFiles writes outside repo working tree via committed parent sym | Not exploited |
TL;DR
Gogs patched three critical remote code execution flaws in version 0.14.3. Each Gogs RCE vulnerability scores between 9.4 and 10 on CVSS. Public details and proof-of-concept exploit code now exist for all three.
Why It Matters
Gogs is a popular self-hosted Git service written in Go. It has roughly 50,000 GitHub stars, per Rapid7. Many small teams and labs pick it for its light footprint. By default, Gogs lets anyone self-register an account. So these flaws are reachable by any visitor, not just insiders.
Gogs also runs as a single process user, usually git. That user can read and write every hosted repository. So one bug can expose all projects on the instance. Rapid7 counted about 1,141 internet-facing instances, with likely more behind VPNs. In short, these Gogs RCE vulnerabilities put the whole server at risk.
How the Attacks Work
CVE-2026-52813: path traversal to RCE (CVSS 10)
The top flaw scores a maximum CVSS of 10. Gogs fails to sanitize organization names. So a name with traversal sequences can write files outside the intended folder. From there, an attacker reaches an editable Git worktree and overwrites a hook script. That hook then runs shell commands as the git user.
CVE-2026-52806: rebase argument injection (CVSS 9.9)
The second flaw abuses the pull request rebase feature. A crafted branch name injects an extra option into a git command. The server then runs attacker-supplied commands during a merge. Any user who creates a repository can enable the needed setting. So no admin rights and no victim interaction are required.
CVE-2026-52811: symlink file write (CVSS 9.4)
The third flaw targets the file upload path. Gogs checks only the final path component for symlinks. So a crafted filename can redirect a write through a planted symlink. An attacker can then drop an SSH key or a malicious hook. The foothold also survives a restart. This flaw affects Linux and macOS, but not Windows.
Exploitation Status
The Gogs team published advisories for all three issues. Crucially, each advisory includes a working proof-of-concept exploit. So the barrier to attack is now very low. Still, no confirmed in-the-wild exploitation of these three CVEs exists yet.
Affected Versions
All three flaws affect Gogs versions before 0.14.3. This covers binary, Docker, and source installs.
Patch and Mitigation
Update Gogs to version 0.14.3 right now. The maintainer shipped that release on 7 June 2026. It fixes all three Gogs RCE vulnerabilities. You can grab it from the official 0.14.3 release page. Until you patch, disable open registration as a stopgap. Also limit who can create organizations and repositories. After upgrading, check Git hooks and authorized_keys for unexpected changes. Review the full advisories on the Gogs security page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
