CVE-2026-52801
Deferred Deferred - Pending Action

Gogs Local Repository Import via Mirror Settings

Vulnerability report for CVE-2026-52801, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. It involves the Mirror Settings functionality, which allowed any authenticated user to import local repositories through an alternative method that bypassed the well-protected New Migration functionality. The root cause is a lack of validation in the SaveAddress function, which enabled this unauthorized import capability. The issue was fixed in version 0.14.3.

Impact Analysis

This vulnerability can have significant impacts because it allows any authenticated user to import local repositories without proper validation. According to the CVSS v3.1 score of 8.1, it has a high impact on confidentiality and availability, meaning sensitive data could be exposed or systems could be disrupted. Specifically, it can lead to unauthorized access to repository data and potentially cause denial of service or data integrity issues.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue with the Mirror Settings functionality and the SaveAddress function validation has been fixed.

Compliance Impact

CVE-2026-52801 allows authenticated users to bypass validation checks and import local repositories or perform Server-Side Request Forgery (SSRF) attacks, potentially exposing internal resources and sensitive data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and protection against unauthorized data disclosure.

The vulnerability's high severity and impact on confidentiality and availability highlight risks that organizations must address to maintain compliance.

Detection Guidance

This vulnerability involves improper validation of mirror repository remote addresses in Gogs versions prior to 0.14.3, allowing authenticated users to import local repositories or perform SSRF attacks by manipulating mirror settings.

To detect exploitation attempts or the presence of this vulnerability on your system, you can:

  • Check Gogs version to confirm if it is earlier than 0.14.3, as the vulnerability is fixed starting from 0.14.3.
  • Audit repository mirror settings for suspicious remote addresses, especially those using file:// URLs or internal network addresses that bypass expected protocols (http://, https://, git://).
  • Monitor logs for authenticated users updating mirror repository remote addresses with unusual or local file paths.

Suggested commands to assist in detection:

  • 1. Check Gogs version: `gogs --version` or review the installed package version.
  • 2. Search Gogs database or configuration files for mirror remote addresses containing 'file://' or internal IP ranges (e.g., 10.x.x.x, 192.168.x.x):
  • - Example SQL query (adjust for your database): `SELECT repo_name, mirror_address FROM mirrors WHERE mirror_address LIKE 'file://%' OR mirror_address LIKE 'http://10.%' OR mirror_address LIKE 'http://192.168.%';`
  • 3. Review Gogs server logs for API or web requests updating mirror addresses with suspicious values.
  • 4. Use network monitoring tools to detect unusual outbound requests from the Gogs server to local file paths or internal network addresses.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart