CVE-2026-52813: Gogs Path Traversal to RCE
| Field | Value |
|---|---|
| CVE ID | CVE-2026-52813 |
| CVSS score | 10.0 |
| Attack vector | Remote |
| Auth required | Unknown from the cited NVD text; defenders should not assume strong preconditions |
| Patch status | Fixed in Gogs 0.14.3 |
TL;DR - Gogs before 0.14.3 accepts
../in organization names. - That path traversal can place repositories at attacker-influenced filesystem paths and enable hook overwrite. - Upgrade to 0.14.3 immediately and review repo hooks and suspicious org names.
What This Vulnerability Is and Why It Matters
CVE-2026-52813 is a critical remote code execution vulnerability in Gogs, the open-source self-hosted Git service. According to the NVD description, Gogs versions prior to 0.14.3 accept organization names containing path traversal sequences such as ../. Gogs then uses those names when writing repository data to disk, allowing repositories to be created in attacker-influenced filesystem locations instead of remaining confined to their intended storage paths.
The impact is more severe than a simple directory traversal bug. The NVD description explicitly states that an attacker can use a nested Git repository structure to overwrite another repository’s hooks configuration, which can then lead to remote code execution. On a Git hosting service, hook execution is especially sensitive because hooks can invoke server-side commands during repository operations. If Gogs is running with broad filesystem or service privileges, compromise of the application can quickly become compromise of the host.
From a practitioner standpoint, this is a high-priority patch item because it combines three dangerous properties: arbitrary path influence, cross-repository integrity impact, and code execution potential. Even though the CVSS vector was not provided in the source material here, the CVSS base score of 10.0 signals maximum severity. For defenders, the right assumption is that any exposed or multi-user Gogs instance running before 0.14.3 should be treated as urgently vulnerable until upgraded and reviewed.
For further details on security vulnerabilities, check our FAQ on OWASP API Security Top 10 and the Incident Response Plan (IRP) glossary.
Affected Versions and Fixed Release
The affected product is Gogs. The vulnerable version range, as stated by NVD, is all versions prior to 0.14.3. The fixed version is 0.14.3. That fixed version is also reflected by the project release and security advisory references cited in the research note.
If you are running Gogs and do not have a reliable inventory, start by determining the installed version now. In the absence of version certainty, defenders should assume exposure if the deployment predates 0.14.3 or if package management, container tags, or local build processes make version attribution unclear. Self-hosted Git services often linger on old versions because they are viewed as internal tools, but they are also high-value targets due to stored source code, deploy keys, CI secrets, and administrative access paths.
A practical issue with Gogs deployments is that they may have been installed from a binary release, from source, through a container image, or as part of a distribution package. That means patch tracking may not be centralized. If you cannot quickly verify that the running build is exactly 0.14.3 or later, take the conservative route: restrict access, inspect for suspicious artifacts, and schedule emergency maintenance for upgrade validation.
Technical Notes
Check the running version using methods appropriate to your deployment:
# If Gogs binary is available in PATH
gogs --version
# If systemd is used, inspect the service command line
systemctl status gogs
# If running in Docker, inspect the image tag and process
docker ps --filter "name=gogs"
docker exec -it <container_id> /app/gogs/gogs --version
If you deploy from GitHub releases, the fixed release referenced in the advisory chain is:
Patched version: 0.14.3
Affected range: all versions prior to 0.14.3
Release reference: https://github.com/gogs/gogs/releases/tag/v0.14.3
Exploitation Status and What Defenders Should Assume
Based on the research provided, exploitation in the wild is not confirmed. The CVE is not listed in CISA KEV at the time of lookup, which means there is no KEV-based confirmation of active exploitation. That is useful context, but it should not be read as evidence of safety. Many severe vulnerabilities are exploited before they appear in public catalogs, and many others are abused opportunistically in environments that do not get broad reporting.
For public proof-of-concept status, the available primary-source evidence confirms a public advisory, a fix commit, a pull request, and a patched release. However, a standalone PoC was not verified from the primary sources in this research run. So the evidence-based statement is: patch and advisory exist; a standalone public PoC is not confirmed here; exploitation in the wild is not confirmed here.
In practice, defenders should assume that a vulnerability this straightforward to describe and this severe to exploit will draw researcher and attacker attention quickly. The presence of a fix commit and pull request also lowers the barrier to reverse-engineering the vulnerable logic. Even without a packaged exploit, an attacker with product knowledge may be able to reproduce the issue directly from the advisory trail.
| Question | Current evidence-based answer |
|---|---|
| Exploitation confirmed in the wild? | No confirmed evidence in the supplied sources |
| Listed in CISA KEV? | No |
| Public advisory available? | Yes |
| Patch available? | Yes, in 0.14.3 |
| Standalone public PoC verified? | Not confirmed from the primary sources provided |
How the Bug Works
The root cause is improper validation of organization names. Gogs accepted organization names containing path traversal elements such as ../, and then used those values in filesystem operations related to repository storage. That means the boundary between application-level naming and filesystem path construction was not enforced strongly enough.
Once an attacker can influence where repository data lands on disk, the risk expands from unauthorized data placement to interference with other repositories or application-controlled directories. The NVD description specifically notes that by creating a nested structure of Git repositories, an attacker can overwrite another repository’s hooks configuration. Git hooks are executable integration points, so malicious modification can result in server-side code execution when the hook is triggered.
This matters operationally because many defenders think of Git servers primarily as data stores. In reality, they are active workflow systems that may run hooks, integrate with CI/CD, manage SSH access, and hold sensitive credentials. A path traversal that reaches repository metadata or hook configuration is therefore much closer to direct RCE than a typical read-only traversal issue.
Technical Notes
The high-level exploitation chain described by NVD is:
1. Attacker submits an organization name containing ../
2. Gogs uses that path while storing repository data
3. Repository files are written outside intended boundaries
4. Nested repository layout enables hook configuration overwrite
5. Hook execution leads to remote code execution
Primary references tied to the fix and analysis path:
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52813
Fix commit: https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7
Pull request: https://github.com/gogs/gogs/pull/8334
Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5
Detection and Triage Guidance
Detection should focus on three areas: suspicious organization names, unexpected repository paths on disk, and modified Git hook configuration. Because the published description centers on ../ traversal in organization names, the fastest first-pass triage is to search application logs, audit records, or database content for organization names containing traversal sequences or encoded variants.
The next priority is filesystem inspection. Review where Gogs stores repositories and look for repositories outside the normal root, unusual nested repository layouts, or recently changed hook files. Even if you do not immediately find a malicious organization name, the attacker’s end goal is hook overwrite and code execution, so filesystem artifacts may be more durable than UI-level traces. Also review user and organization creation events around the period before patching.
Because specific native Gogs log schemas were not provided in the source material, defenders should avoid assuming exact field names. Instead, use pattern-based hunting and verify locally against your configured log format, reverse proxy logs, and any SIEM normalization.
Technical Notes
Example patterns to hunt for in logs and stored metadata:
../
..%2f
%2e%2e/
%2e%2e%2f
Generic grep-based hunts across Gogs and reverse proxy logs:
grep -RInE '(\.\./|%2e%2e%2f|\.%2f)' /var/log/nginx /var/log/apache2 /var/log/gogs 2>/dev/null
Filesystem checks for suspicious hook modifications under common repository storage roots:
find /var/lib/gogs -type f \( -path "*/hooks/*" -o -name "config" \) -mtime -14 -ls
find /home/git/gogs-repositories -type f \( -path "*/hooks/*" -o -name "config" \) -mtime -14 -ls
Example Sigma-style detection logic you can adapt to your log source:
title: Suspicious Gogs path traversal in organization name
logsource:
product: webserver
detection:
selection:
cs-uri-query|contains:
- "../"
- "%2e%2e%2f"
- "..%2f"
condition: selection
level: high
Example Splunk query for reverse proxy or application logs:
index=web OR index=app ("../" OR "%2e%2e%2f" OR "..%2f")
| stats count by src_ip, uri, user, http_method
| sort - count
Mitigation and Patching
The primary mitigation is to upgrade Gogs to 0.14.3 immediately. Since the issue is fixed in that release, patching should be the default response rather than attempting to rely solely on compensating controls. If your deployment is internet-exposed or available to a broad internal user base, expedite the change as an emergency fix.
Before and after the upgrade, review repository hook files and repository placement on disk. Patching stops new exploitation through this bug, but it does not undo malicious filesystem writes or hook changes that may already have occurred. If you find unexplained hook modifications, suspicious repositories, or signs of command execution, escalate to incident response. Given the RCE potential, host-level review is warranted, including service accounts, cron jobs, SSH keys, and outbound connections.
If you cannot patch immediately, apply temporary workarounds to reduce risk. Restrict access to trusted administrators only, block external exposure at the reverse proxy or firewall, and increase monitoring for traversal attempts. These are stopgap measures, not substitutes for the fixed release.
Technical Notes
Upgrade commands will depend on how Gogs was deployed. Use the method that matches your environment and verify the resulting binary version is 0.14.3.
Example binary replacement workflow:
# Stop the service
sudo systemctl stop gogs
# Back up config and data first
sudo tar czf /root/gogs-backup-$(date +%F).tgz /etc/gogs /var/lib/gogs /home/git/gogs-repositories 2>/dev/null
# Replace the binary with the 0.14.3 release artifact using your standard trusted source
# Then restart
sudo systemctl start gogs
# Verify
gogs --version
Example container-oriented workflow:
docker pull gogs/gogs:0.14.3
docker stop gogs
docker rm gogs
docker run -d --name gogs
-p 3000:3000 -p 2222:22
-v /srv/gogs:/data \
gogs/gogs:0.14.3
Temporary reverse-proxy blocking pattern for obvious traversal strings, if patching is delayed:
if ($request_uri ~* "(\.\./|%2e%2e%2f|\.%2f)") {
return 403;
}
Be cautious with this workaround: it may reduce trivial probes but should not be treated as complete protection against all encodings or logic paths.
What to Do Next
If you run Gogs, the immediate action list is straightforward. First, identify any instance running before 0.14.3 and schedule emergency upgrade. Second, inspect organization names, repository paths, and hook files for suspicious changes. Third, review logs for traversal attempts and repository creation anomalies. Finally, if you detect any indication of hook tampering or unexplained command execution, treat the server as potentially compromised.
For SMBs and lean IT teams, the practical priority is risk reduction rather than perfect forensics on day one. Patch first, preserve logs and backups, then perform targeted hunting. For larger teams, enrich the review with EDR telemetry on the Gogs host, process execution traces from the service account, and any unusual outbound network activity following Git operations.
References
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-52813
- Gogs project: https://github.com/gogs/gogs
- Fixed release: https://github.com/gogs/gogs/releases/tag/v0.14.3
- GitHub security advisory: https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5
- Fix commit: https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7
- Pull request: https://github.com/gogs/gogs/pull/8334
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.