HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52813Published Modified CNA GitHub_M

CVE-2026-52813: Gogs: Path Traversal in organization name results in RCE through Git hooks

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Gogs, the self-hosted Git service, allows an unauthenticated remote attacker to write repository data to arbitrary locations on the host filesystem. By crafting an organization name containing ../ sequences, an attacker can overwrite Git hook configuration files belonging to other repositories. Successful exploitation results in remote code execution on the host running the Gogs server. No patched release has been published upstream; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-52813 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Gogs images derived from internal Dockerfiles.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 Critical and surfaces it against each environment's compliance policy weighting for critical-severity, remotely exploitable issues. Triage routing directs the finding to the appropriate team inbox within each customer organization based on registry ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 0.14.3 or a later fix is released by the upstream project. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Gogs HTTP or SSH interface over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No account or credentials are required; the organization-creation endpoint is accessible to unauthenticated users in default Gogs configurations.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link or open a file for exploitation to succeed.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: crafting a path traversal in an organization name requires no race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

  • The attacker achieves remote code execution on the host by overwriting Git hook scripts, allowing arbitrary OS commands to run under the Gogs process account.
  • Any file path writable by the Gogs process is reachable, exposing all repository data, secrets, and configuration files stored on the host filesystem.
  • An attacker can modify or destroy repository contents belonging to other organizations, corrupting source code and commit history across the entire Gogs instance.
  • The scope of impact extends beyond the Gogs application itself: other services and files co-located on the same host and accessible to the Gogs OS user are at risk of tampering or exfiltration.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-52813 has been published, HarborGuard continuously re-checks the Gogs advisory on every feed ingest cycle. The moment version 0.14.3 or a subsequent fix is released, a patched-image rebuild becomes available; customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads without manual steps. Until a fix is available, recommended compensating controls include applying a network policy to restrict which source IPs can reach the Gogs organization-creation endpoint, enabling Gogs registration confirmation to prevent anonymous account creation, and auditing existing organization names for ../ sequences. For environments where Gogs is not required to be publicly accessible, egress and ingress filtering at the container or Kubernetes network-policy layer reduces the exposure surface while the upstream project works toward a patch.

See how HarborGuard automates this
Affected packages
  • gogs / gogs
    < 0.14.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References