CVE-2026-52810
Deferred Deferred - Pending Action

Git Smart HTTP Authorization Bypass in Gogs

Vulnerability report for CVE-2026-52810, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue is that the Git smart HTTP protocol authorizes POST requests to the /git-receive-pack endpoint based on the client-supplied service query string. Specifically, if the query string is set to ?service=git-upload-pack, it is incorrectly evaluated as read access, but the server still runs git receive-pack, which allows pushing changes. This means that users who should only have read access can push changes, bypassing intended access controls.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can allow unauthorized users to push changes to repositories where they should only have read access. This can lead to unauthorized code modifications, potential introduction of malicious code, and compromise of the integrity of the repository.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gogs to version 0.14.3 or later, where the issue has been fixed.

Compliance Impact

CVE-2026-52810 allows unauthorized write access to repositories that should be read-only, enabling attackers to modify repository content without proper permissions.

This unauthorized modification capability can lead to integrity violations and bypassing of intended access controls, which may impact compliance with standards and regulations that require strict access control and data integrity, such as GDPR and HIPAA.

Specifically, the vulnerability could result in unauthorized changes to sensitive code or data stored in repositories, potentially exposing organizations to risks of data breaches or tampering that these regulations aim to prevent.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /git-receive-pack endpoint that include a query parameter ?service=git-upload-pack, which should normally indicate read-only access but is exploited here to gain write access.

A practical detection method is to inspect HTTP logs or capture network traffic for such requests that combine a POST method to /git-receive-pack with the service=git-upload-pack parameter.

Example commands to detect potential exploitation attempts include:

  • Using grep on web server logs to find suspicious requests: grep 'POST /git-receive-pack?service=git-upload-pack' /path/to/access.log
  • Using tcpdump to capture HTTP traffic and filter for the pattern: tcpdump -A -s 0 'tcp port 80 and (((tcp[((tcp[12:1] & 0xf0) >> 2):4]) = 0x504f5354) and (tcp[((tcp[12:1] & 0xf0) >> 2)+5:15] contains "/git-receive-pack?service=git-upload-pack"))'
  • Using curl or similar tools to test if the server improperly authorizes write operations by sending a crafted POST request to /git-receive-pack with the service=git-upload-pack parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart