HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52811Published Modified CNA GitHub_M

CVE-2026-52811: Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.

Metrics

CVSS v4.0
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path-traversal vulnerability in Gogs, the self-hosted Git service, allows an authenticated attacker with repository write access to write arbitrary files anywhere the Gogs process user can reach on the host. The flaw is reachable over the network and requires no administrative privileges, only a low-privilege repository account. Successful exploitation lets an attacker plant an SSH authorized key or a Git hook script, giving them persistent shell access or code execution triggered on the next repository push. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-52811 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Gogs, in both registry scans and CI pipeline checks.

Available
Triage

Triage is available using the CVSS v4.0 score of 9.0 (Critical), weighted against each customer organization's compliance policy to determine urgency and routed to the appropriate team inbox within that org.

Available
Patch

Because no fix version has been published yet, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Gogs 0.14.3 or a later corrected release is confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The Gogs web interface is exposed over the network, so an attacker must be able to reach the service's HTTP or HTTPS endpoint to submit the malicious multipart upload.

  • AuthenticationRequired

    A low-privilege account with write access to at least one repository is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    The attack is fully attacker-driven through the file upload API; no other user needs to click a link or take any action.

  • Attack complexityDetail

    The attack requires a previously-committed directory symlink to exist in the repository (AT:P), meaning the attacker or an accomplice must have set up that precondition, but once in place the exploit path is reliable and condition-free.

Blast Radius

  • Attacker writes arbitrary content to ~/.ssh/authorized_keys under the Gogs process account, adding an SSH public key and gaining a persistent interactive shell on the host.
  • Attacker overwrites or creates a Git hook such as post-receive inside any repository, causing arbitrary commands to execute as the Gogs UID on every subsequent push to that repository.
  • All data accessible to the Gogs process user, including every hosted repository and their stored secrets or deploy keys, is exposed to reading, modification, or deletion.
  • Downstream systems that pull from or interact with the compromised Gogs instance inherit the exposure, since hook-injected commands can reach any service the host can contact.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-52811, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Gogs 0.14.3 is confirmed. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically with no manual steps required. In the interim, compensating controls worth considering include restricting network-policy ingress to the Gogs service to trusted source CIDRs only, running the Gogs container as a non-root UID with a read-only filesystem where possible, and auditing existing repositories for unexpected symlinks in committed directory trees. HarborGuard flags all images containing affected Gogs versions as Critical in the compliance dashboard and can route alerts to the appropriate team via configured notification channels.

See how HarborGuard automates this
Affected packages
  • gogs / gogs
    < 0.14.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References