How is CVE-2026-52806 exploited?

Network reachability (required): The attacker must reach the Gogs HTTP or SSH interface over the network to submit a pull request with the malicious branch name. Authentication (required): Any low-privilege account with repository access is sufficient; no administrator credentials are needed. Victim interaction (not-required): The attacker triggers the vulnerability by initiating the rebase-merge operation themselves; no other user needs to take any action. Attack complexity (info): Exploitation is reliable and condition-free: crafting a branch name that injects the --exec flag requires no race conditions or special environmental state.

What is the impact of CVE-2026-52806?

The attacker executes arbitrary commands as the Gogs server process, giving full control over the host environment accessible to that process. All repository data hosted on the instance, including source code, commit history, and secrets stored in repository settings, is readable and modifiable. The attacker can write or overwrite files on the server filesystem, enabling persistence mechanisms such as backdoored hooks or credential theft. The Gogs service and any co-located services sharing the same host or container can be disrupted or terminated.

Back to search

CRITICALCVE-2026-52806Published 2026-06-24Modified 2026-06-24CNA GitHub_M

CVE-2026-52806: Gogs: RCE via git rebase --exec argument injection in pull request merge

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Argument injection leading to remote code execution affects Gogs, the self-hosted Git service, in versions before 0.14.3. The vulnerability is reachable over the network by any authenticated user with low privileges, and no interaction from another user or administrator is needed to trigger it. Successful exploitation gives an attacker full control over the server process, including the ability to read, modify, or delete any data the server can access. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Gogs images. Any image running a Gogs version below 0.14.3 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.9 Critical and surfaces it accordingly in each customer's dashboard, weighted against that environment's compliance policy to prioritize routing. Triage alerts are directed to the team inbox or ticketing integration configured by the customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-examines the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream release ships. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Gogs HTTP or SSH interface over the network to submit a pull request with the malicious branch name.
AuthenticationRequired
Any low-privilege account with repository access is sufficient; no administrator credentials are needed.
Victim interactionNot required
The attacker triggers the vulnerability by initiating the rebase-merge operation themselves; no other user needs to take any action.
Attack complexityDetail
Exploitation is reliable and condition-free: crafting a branch name that injects the --exec flag requires no race conditions or special environmental state.

Blast Radius

The attacker executes arbitrary commands as the Gogs server process, giving full control over the host environment accessible to that process.
All repository data hosted on the instance, including source code, commit history, and secrets stored in repository settings, is readable and modifiable.
The attacker can write or overwrite files on the server filesystem, enabling persistence mechanisms such as backdoored hooks or credential theft.
The Gogs service and any co-located services sharing the same host or container can be disrupted or terminated.

How HarborGuard Handles This

Available on HarborGuard: because no patched release exists yet for this Critical-severity argument-injection RCE, HarborGuard monitors the Gogs advisory on every ingest cycle and will surface a patched-image rebuild the moment version 0.14.3 or later is confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will fire automatically at that point, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes once an upstream fix is available. In the interim, compensating controls worth evaluating include restricting repository creation and pull-request permissions to trusted accounts via Gogs access controls, placing the Gogs instance behind a network policy that limits inbound access to known IP ranges, and auditing existing repositories for branch names containing flag-like strings. Where compliance policy permits, disabling the rebase-merge strategy in repository settings removes the specific code path this CVE targets.

See how HarborGuard automates this

Affected packages

gogs / gogs
< 0.14.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified