EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Gogs, a self-hosted Git service, affecting versions prior to 0.14.3. These critical flaws include multiple remote code execution vulnerabilities arising from path traversal, argument injection, and improper symlink handling. The business risk is substantial, particularly since the application often permits open self-registration by default. This allows any external visitor to exploit the vulnerabilities without authentication. Successful compromise grants attackers the same privileges as the server process, potentially leading to full system takeover and unauthorized access to sensitive intellectual property across all repositories.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Gogs, a self-hosted Git service, affecting versions prior to 0.14.3. These critical flaws include multiple remote code execution vulnerabilities arising from path traversal, argument injection, and improper symlink handling. The business risk is substantial, particularly since the application often permits open self-registration by default. This allows any external visitor to exploit the vulnerabilities without authentication. Successful compromise grants attackers the same privileges as the server process, potentially leading to full system takeover and unauthorized access to sensitive intellectual property across all repositories.[emaillocker id="1283"]
CVE-2026-52813 with a CVSS score of 10.0 – This vulnerability allows path traversal in organization names to write files outside the intended folder, enabling attackers to overwrite Git hooks and execute arbitrary commands as the git user.
CVE-2026-52806 with a CVSS score of 9.9 – This flaw involves argument injection via a crafted branch name during a pull request rebase, allowing an attacker to inject options into git commands and execute code without admin rights or victim interaction.
CVE-2026-52811 with a CVSS score of 9.4 – This vulnerability exists in the file upload path where crafted filenames exploit symlink handling, allowing attackers to drop malicious files such as SSH keys or hooks that persist after a restart.
The publication of proof-of-concept exploit code significantly increases the urgency of addressing these vulnerabilities, as they lower the barrier for attackers. If exploited, organizations face severe consequences including the complete compromise of their development infrastructure and potential theft of proprietary source code. Immediate attention is required to prevent unauthorized access and maintain the integrity of software repositories.
RECOMMENDATION:
We recommend you to update Gogs to version 0.14.3.
REFERENCES:
The following reports contain further technical details:
[/emaillocker]