Executive Summary

CVE-2026-26194 is a security vulnerability in the Gogs Git service affecting versions prior to 0.14.2. The issue occurs when deleting a release if a user-controlled tag name is passed to the git command without the proper end-of-options separator (`--`). If the tag name starts with a dash (`-`), Git interprets it as an option rather than a tag name, allowing an attacker to inject arbitrary Git options. This can cause unexpected behavior or failure during the release deletion process.

The vulnerability arises because the deletion command uses `git tag -d <tagname>` without the `--` separator, which is necessary to distinguish options from positional arguments. Although some sanitization exists when creating tags, it does not cover all methods of adding tags, such as via `git push`. An attacker who can add a malicious tag and has permission to delete releases can exploit this to inject Git options.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to operational issues during release cleanup in Gogs. Specifically, it may cause denial of service by failing or causing unexpected behavior when deleting tags or releases.

• Potential denial of service during release deletion.
• Failure or unexpected behavior in tag or release deletion processes.
• Possible inconsistencies in release metadata.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability arises when deleting a Git tag that starts with a dash (-) without using the proper end-of-options separator in the git command. Detection involves checking if any tags in your Gogs repository start with a dash and if the deletion commands are executed without the '--' separator."}, {'type': 'paragraph', 'content': 'You can list tags in your Git repository to identify any tags starting with a dash by running the following command in the repository directory:'}, {'type': 'list_item', 'content': "git tag | grep '^-'"}, {'type': 'paragraph', 'content': "If such tags exist, attempts to delete releases that reference these tags without the '--' separator may trigger the vulnerability. Monitoring logs or audit trails for errors or unexpected behavior during release deletion in Gogs may also help detect exploitation attempts."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should upgrade Gogs to version 0.14.2 or later where the issue is patched.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, ensure that the git commands used for deleting tags include the '--' end-of-options separator to prevent option injection. For example, use:"}, {'type': 'list_item', 'content': 'git tag -d -- <tagname>'}, {'type': 'paragraph', 'content': 'Additionally, audit any custom scripts or integrations that delete tags or releases to confirm they use safe Git module APIs or properly handle user input to avoid command injection.'}, {'type': 'paragraph', 'content': 'Restrict permissions so that only trusted users can delete releases or tags, reducing the risk of exploitation.'}] [1, 2, 3]

Useful 0 Not Useful 0