CVE-2026-52805
Deferred Deferred - Pending Action

SSRF in Gogs Repository Migration via Git Redirect

Vulnerability report for CVE-2026-52805, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to a blocked internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, prior to version 0.14.3. It is a Server-Side Request Forgery (SSRF) issue in the repository migration functionality. The application only validates the hostname of the initially submitted URL, but when using git clone --mirror, HTTP redirects are followed. An authenticated user can submit a public URL that redirects to a blocked internal endpoint, such as 127.0.0.1, which allows the attacker to import the contents of an internal repository into a repository they control.

Impact Analysis

This vulnerability can allow an authenticated attacker to access internal repositories that are normally blocked or inaccessible. By exploiting the SSRF, the attacker can import sensitive internal repository contents into their own repository, potentially exposing confidential information. This can lead to a compromise of internal data confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the Server-Side Request Forgery (SSRF) issue in the repository migration functionality has been fixed.

Compliance Impact

CVE-2026-52805 is a high severity Server-Side Request Forgery (SSRF) vulnerability that allows an authenticated attacker to import internal repository contents into an attacker-controlled repository by exploiting insufficient validation of HTTP redirects during repository migration and mirror synchronization in Gogs.

This vulnerability can lead to unauthorized access and exfiltration of sensitive internal data such as source code and secrets, which may include personal or protected information depending on the repository contents.

Such unauthorized data exposure and potential compromise of confidentiality and integrity could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive and personal data against unauthorized access and breaches.

Therefore, organizations using vulnerable versions of Gogs prior to 0.14.3 may face increased risk of non-compliance with these regulations if this vulnerability is exploited.

Detection Guidance

Detection of this SSRF vulnerability involves monitoring and analyzing repository migration and mirror synchronization activities in Gogs, especially looking for git clone commands that follow HTTP redirects to internal or blocked endpoints.

One practical approach is to check for git clone operations with the --mirror flag that might be following redirects to internal IP addresses such as 127.0.0.1 or private network ranges.

You can use network monitoring tools or logs to detect outbound requests from your Gogs server to internal IP addresses triggered by migration or mirror sync operations.

A suggested command to detect suspicious git clone operations is to monitor git processes or logs for the presence of the flag '-c http.followRedirects=false' which is part of the fix. Absence of this flag in git clone commands during migration or mirror sync could indicate vulnerability.

For example, on the Gogs server, you can run commands like:

  • ps aux | grep 'git clone --mirror'
  • grep -r 'http.followRedirects' /path/to/gogs/logs
  • tcpdump or Wireshark filters to detect HTTP requests from the Gogs server to internal IP addresses during migration or mirror sync operations.

Additionally, reviewing the migration URLs submitted by authenticated users for redirects to internal endpoints can help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52805. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart