CVE-2026-52806
Deferred Deferred - Pending Action

Remote Code Execution in Gogs via Git Rebase Command Injection

Vulnerability report for CVE-2026-52806, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. Authenticated users can exploit it by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" operation. This injection allows the attacker to execute arbitrary code remotely on the server.

Mitigation Strategies

To mitigate this vulnerability, upgrade Gogs to version 0.14.3 or later, where the issue has been fixed.

Impact Analysis

The vulnerability can lead to Remote Code Execution (RCE) on the server hosting Gogs. This means an attacker with authenticated access can run arbitrary commands on the server, potentially leading to full system compromise, data theft, data loss, or disruption of services.

Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands on the server, potentially compromising the entire server and accessing all repositories.

This could lead to unauthorized access to sensitive data, including credentials and repository contents, which may include personal or protected information.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring system integrity.

Detection Guidance

This vulnerability can be detected by checking if your Gogs instance is running a version prior to 0.14.3, as those versions are vulnerable to Remote Code Execution via crafted branch names during pull request merges.

To detect potential exploitation attempts on your system, you can monitor Git pull request merge operations for branch names starting with a hyphen ("--"), which are used to inject commands.

Suggested commands to help detect suspicious activity include:

  • Review Git branch names in pull requests for those starting with "--" using Git commands or API queries.
  • Check server logs for git rebase commands invoked with the --exec flag or unusual parameters.
  • Example command to list branches starting with "--" in a repository:
  • git branch --list '--*'
  • Use grep to search server logs for suspicious git rebase commands:
  • grep -r "git rebase --exec" /path/to/gogs/logs/

Additionally, ensure your Gogs installation is updated to version 0.14.3 or later to mitigate this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52806. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart