CVE-2026-52812
Deferred Deferred - Pending Action

Path Traversal in Gogs Git Service

Vulnerability report for CVE-2026-52812, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint. This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows cross-tenant disclosure of any Git LFS object, including sensitive data such as certificates, keys, or personally identifiable information (PII). This unauthorized access to private repository content could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive and personal data.

Because the exploit enables persistent unauthorized access until manually revoked, organizations using affected versions of Gogs may face compliance risks related to data confidentiality and integrity requirements under these standards.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, prior to version 0.14.3. The issue arises because Git LFS (Large File Storage) objects are stored based only on their OID (object ID) without proper verification. When a user uploads a file, the system skips re-uploading if the file with the same OID already exists on disk and inserts a new database entry linking the user's repository to that OID without verifying that the uploaded content actually matches the OID.

As a result, any user with write access to one repository can link their repository to an OID owned by a private repository and download the original file bytes through their own download endpoint, effectively bypassing repository access controls.

This vulnerability was fixed in version 0.14.3 of Gogs.

Impact Analysis

This vulnerability can lead to unauthorized data access. Specifically, a user with write access to one repository can access and download files from private repositories they should not have access to by exploiting the way Git LFS objects are referenced and stored.

This could result in exposure of sensitive or confidential data stored in private repositories, potentially leading to data breaches or leakage of proprietary information.

Mitigation Strategies

The vulnerability is fixed in Gogs version 0.14.3. To mitigate this vulnerability, you should upgrade your Gogs installation to version 0.14.3 or later.

Detection Guidance

This vulnerability involves unauthorized access to Git LFS objects by exploiting the deduplication logic in Gogs versions prior to 0.14.3. Detection would involve monitoring for unusual Git LFS upload or download activity, especially HTTP PUT requests that bind repositories to OIDs without proper verification.

Specifically, you can look for HTTP write access requests (PUT) to the LFS upload endpoints that attempt to bind an OID already existing on disk but with content that does not match the OID hash.

While no explicit detection commands are provided in the resources, network monitoring tools or web server logs can be used to identify suspicious LFS upload requests. For example, you can use commands like the following to search web server logs for suspicious PUT requests to LFS endpoints:

  • grep 'PUT /lfs/' /var/log/nginx/access.log
  • grep -i 'upload' /var/log/gogs/gogs.log

Additionally, monitoring for multiple repositories binding to the same OID or unexpected repository bindings in the `lfs_object` table in the database could indicate exploitation attempts.

Upgrading to version 0.14.3 or later is the recommended mitigation to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart