CVE-2026-26194
Command Injection via Improper Tag Handling in Gogs Releases
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gogs | gogs | to 0.14.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26194 is a security vulnerability in the Gogs Git service affecting versions prior to 0.14.2. The issue occurs when deleting a release if a user-controlled tag name is passed to the git command without the proper end-of-options separator (`--`). If the tag name starts with a dash (`-`), Git interprets it as an option rather than a tag name, allowing an attacker to inject arbitrary Git options. This can cause unexpected behavior or failure during the release deletion process.
The vulnerability arises because the deletion command uses `git tag -d <tagname>` without the `--` separator, which is necessary to distinguish options from positional arguments. Although some sanitization exists when creating tags, it does not cover all methods of adding tags, such as via `git push`. An attacker who can add a malicious tag and has permission to delete releases can exploit this to inject Git options.
How can this vulnerability impact me? :
This vulnerability can lead to operational issues during release cleanup in Gogs. Specifically, it may cause denial of service by failing or causing unexpected behavior when deleting tags or releases.
- Potential denial of service during release deletion.
- Failure or unexpected behavior in tag or release deletion processes.
- Possible inconsistencies in release metadata.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises when deleting a Git tag that starts with a dash (-) without using the proper end-of-options separator in the git command. Detection involves checking if any tags in your Gogs repository start with a dash and if the deletion commands are executed without the '--' separator."}, {'type': 'paragraph', 'content': 'You can list tags in your Git repository to identify any tags starting with a dash by running the following command in the repository directory:'}, {'type': 'list_item', 'content': "git tag | grep '^-'"}, {'type': 'paragraph', 'content': "If such tags exist, attempts to delete releases that reference these tags without the '--' separator may trigger the vulnerability. Monitoring logs or audit trails for errors or unexpected behavior during release deletion in Gogs may also help detect exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should upgrade Gogs to version 0.14.2 or later where the issue is patched.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, ensure that the git commands used for deleting tags include the '--' end-of-options separator to prevent option injection. For example, use:"}, {'type': 'list_item', 'content': 'git tag -d -- <tagname>'}, {'type': 'paragraph', 'content': 'Additionally, audit any custom scripts or integrations that delete tags or releases to confirm they use safe Git module APIs or properly handle user input to avoid command injection.'}, {'type': 'paragraph', 'content': 'Restrict permissions so that only trusted users can delete releases or tags, reducing the risk of exploitation.'}] [1, 2, 3]