CVE-2026-52810
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52810
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is that the Git smart HTTP protocol authorizes POST requests to the /git-receive-pack endpoint based on the client-supplied service query string. Specifically, if the query string is set to ?service=git-upload-pack, it is incorrectly evaluated as read access, but the server still runs git receive-pack, which allows pushing changes. This means that users who should only have read access can push changes, bypassing intended access controls.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can allow unauthorized users to push changes to repositories where they should only have read access. This can lead to unauthorized code modifications, potential introduction of malicious code, and compromise of the integrity of the repository.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart