CVE-2026-52801
Received Received - Intake
Gogs Local Repository Import via Mirror Settings

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. It involves the Mirror Settings functionality, which allowed any authenticated user to import local repositories through an alternative method that bypassed the well-protected New Migration functionality. The root cause is a lack of validation in the SaveAddress function, which enabled this unauthorized import capability. The issue was fixed in version 0.14.3.

Impact Analysis

This vulnerability can have significant impacts because it allows any authenticated user to import local repositories without proper validation. According to the CVSS v3.1 score of 8.1, it has a high impact on confidentiality and availability, meaning sensitive data could be exposed or systems could be disrupted. Specifically, it can lead to unauthorized access to repository data and potentially cause denial of service or data integrity issues.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue with the Mirror Settings functionality and the SaveAddress function validation has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart