CVE-2026-52811
Received Received - Intake
Symlink Bypass in Gogs Leading to Arbitrary File Write

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component β€” UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write β€” ~git/.ssh/authorized_keys β†’ SSH foothold, or <repo>.git/hooks/post-receive β†’ next-push RCE. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52811
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. The issue arises because the function responsible for uploading repository files only checks for symbolic links (symlinks) at the final target path, not in the entire path. An attacker with write access to a repository can craft a multipart upload with a filename containing a literal backslash, which is processed in a way that allows the write operation to be redirected through a previously committed directory symlink.

Because the file copy operation does not prevent following symlinks, the attacker can cause the system to write files anywhere the Gogs user has write permissions. This can include sensitive files such as the SSH authorized_keys file, allowing the attacker to gain SSH access, or Git hooks that enable remote code execution on the next push.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can have severe impacts if exploited. An attacker with repository write access can leverage it to write arbitrary files anywhere the Gogs user has permission. This includes overwriting SSH authorized_keys to gain persistent SSH access or modifying Git hooks to execute arbitrary code during repository operations.

Such unauthorized access and code execution can lead to full system compromise, data theft, or disruption of services hosted on the affected system.

Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. Immediate mitigation involves upgrading your Gogs installation to version 0.14.3 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart