CVE-2026-52805
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP redirects. An authenticated user can submit a public URL that redirects to a blocked internal endpoint (e.g., 127.0.0.1), importing the internal repository's contents into an attacker-controlled repository. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, prior to version 0.14.3. It is a Server-Side Request Forgery (SSRF) issue in the repository migration functionality. The application only validates the hostname of the initially submitted URL, but when using git clone --mirror, HTTP redirects are followed. An authenticated user can submit a public URL that redirects to a blocked internal endpoint, such as 127.0.0.1, which allows the attacker to import the contents of an internal repository into a repository they control.

Impact Analysis

This vulnerability can allow an authenticated attacker to access internal repositories that are normally blocked or inaccessible. By exploiting the SSRF, the attacker can import sensitive internal repository contents into their own repository, potentially exposing confidential information. This can lead to a compromise of internal data confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the Server-Side Request Forgery (SSRF) issue in the repository migration functionality has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52805. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart