CVE-2026-52812
Received Received - Intake
Path Traversal in Gogs Git Service

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-52812
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, prior to version 0.14.3. The issue arises because Git LFS (Large File Storage) objects are stored based only on their OID (object ID) without proper verification. When a user uploads a file, the system skips re-uploading if the file with the same OID already exists on disk and inserts a new database entry linking the user's repository to that OID without verifying that the uploaded content actually matches the OID.

As a result, any user with write access to one repository can link their repository to an OID owned by a private repository and download the original file bytes through their own download endpoint, effectively bypassing repository access controls.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can lead to unauthorized data access. Specifically, a user with write access to one repository can access and download files from private repositories they should not have access to by exploiting the way Git LFS objects are referenced and stored.

This could result in exposure of sensitive or confidential data stored in private repositories, potentially leading to data breaches or leakage of proprietary information.

Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. To mitigate this vulnerability, you should upgrade your Gogs installation to version 0.14.3 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart