CVE-2026-52813
Deferred Deferred - Pending Action

Path Traversal in Gogs Leads to Remote Code Execution

Vulnerability report for CVE-2026-52813, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gogs gogs to 0.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-52813 allows attackers to execute remote code by exploiting path traversal vulnerabilities in Gogs, potentially leading to unauthorized access and modification of data stored on the filesystem.

Such unauthorized access and control over data could result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and availability.

Specifically, the vulnerability's ability to compromise confidentiality (C), integrity (I), and availability (A) of data, as indicated by its CVSS score, means affected organizations could fail to meet compliance requirements that require safeguarding sensitive information and preventing unauthorized system access.

Executive Summary

This vulnerability exists in Gogs, an open source self-hosted Git service, in versions prior to 0.14.3. It allows organization names containing path traversal sequences (../) to be accepted, which causes repositories to be stored or retrieved at arbitrary filesystem locations. By exploiting this, an attacker can create nested Git repositories that overwrite each other's hooks configuration, potentially leading to Remote Code Execution (RCE).

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over the system running Gogs. Because it allows Remote Code Execution without any privileges or user interaction, an attacker can execute arbitrary code remotely, potentially compromising confidentiality, integrity, and availability of the system and data.

Mitigation Strategies

The vulnerability in Gogs is fixed in version 0.14.3. To mitigate this vulnerability, you should immediately upgrade your Gogs installation to version 0.14.3 or later.

Detection Guidance

This vulnerability can be detected by checking for the presence of organization names containing path traversal sequences (e.g., ../) in your Gogs instance prior to version 0.14.3. Specifically, you should look for organizations created with names that include sequences like "../../../" or similar patterns that could allow repositories to be written outside the intended directories.

To detect such potentially malicious organizations or repositories, you can query the Gogs database or API for organization names containing path traversal patterns.

  • Use a command or script to search the Gogs database for organization names with '../' or similar sequences.
  • Example SQL query (adjust according to your database schema): SELECT * FROM organizations WHERE name LIKE '%../%';
  • Use curl or similar tools to attempt creating an organization with a path traversal name and observe if the request is rejected (in patched versions) or accepted (in vulnerable versions). For example: curl -X POST -d '{"username":"../../../tmp/poc"}' -H 'Content-Type: application/json' https://your-gogs-instance/api/v1/orgs

If the request is accepted and the organization is created, your system is vulnerable. If it is rejected with a 422 Unprocessable Entity error, the fix is in place.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart