CVE-2026-52811
Deferred Deferred - Pending Action

Symlink Bypass in Gogs Leading to Arbitrary File Write

Vulnerability report for CVE-2026-52811, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component β€” UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write β€” ~git/.ssh/authorized_keys β†’ SSH foothold, or <repo>.git/hooks/post-receive β†’ next-push RCE. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with repository write access to write arbitrary files anywhere the Gogs service user can write, including sensitive files such as SSH authorized_keys or Git hooks that can lead to remote code execution.

Such unauthorized file writes and potential remote code execution could lead to unauthorized access and data breaches, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could compromise the confidentiality and integrity of data, impacting compliance with these regulations.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue arises because the function responsible for uploading repository files only checks for symbolic links (symlinks) at the final target path, not in the entire path. An attacker with write access to a repository can craft a multipart upload with a filename containing a literal backslash, which is processed in a way that allows the write operation to be redirected through a previously committed directory symlink.

Because the file copy operation does not prevent following symlinks, the attacker can cause the system to write files anywhere the Gogs user has write permissions. This can include sensitive files such as the SSH authorized_keys file, allowing the attacker to gain SSH access, or Git hooks that enable remote code execution on the next push.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can have severe impacts if exploited. An attacker with repository write access can leverage it to write arbitrary files anywhere the Gogs user has permission. This includes overwriting SSH authorized_keys to gain persistent SSH access or modifying Git hooks to execute arbitrary code during repository operations.

Such unauthorized access and code execution can lead to full system compromise, data theft, or disruption of services hosted on the affected system.

Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. Immediate mitigation involves upgrading your Gogs installation to version 0.14.3 or later.

Detection Guidance

Detection of CVE-2026-52811 involves identifying attempts to exploit the symlink traversal vulnerability in Gogs prior to version 0.14.3. Since the vulnerability allows writing files outside the repository working tree via crafted multipart uploads with filenames containing path separators, monitoring for unusual file writes or uploads with suspicious filenames is key.

You can check for suspicious symlinks in your repository directories and monitor for unexpected modifications to sensitive files such as ~/.ssh/authorized_keys or Git hooks like post-receive.

Suggested commands to help detect potential exploitation attempts or presence of malicious files include:

  • Find symlinks inside the repository directory (replace /path/to/repo with your repo path): find /path/to/repo -type l -ls
  • Check for unexpected modifications or presence of files like authorized_keys: ls -l ~git/.ssh/authorized_keys
  • Audit recent file changes in the repository or hooks directory: find /path/to/repo.git/hooks -type f -mtime -7 -ls
  • Monitor Gogs logs for multipart upload requests with suspicious filenames containing backslashes or path separators.

Note that no specific detection commands are provided in the resources, so these suggestions are based on understanding the vulnerability's nature and typical indicators of compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart