CVE-2026-23633 in Gogs
Summary
by MITRE • 02/06/2026
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2026-23633 affects Gogs, an open source self-hosted Git service that provides a complete Git solution for organizations requiring local version control management. This issue represents a critical path traversal flaw that allows unauthorized users to manipulate Git hooks through arbitrary file read and write operations. The vulnerability exists in versions 0.13.3 and earlier, making a substantial portion of the user base susceptible to exploitation. Git hooks are scripts that execute automatically at specific points during Git operations, making them critical components for repository management and automation processes. The flaw specifically targets the hook editing functionality, which is commonly used by administrators to configure automated workflows, pre-commit checks, and post-receive operations within the Git repository environment.
The technical implementation of this vulnerability stems from inadequate input validation and path sanitization within the Git hook editing component of Gogs. When users attempt to modify or create Git hooks through the web interface, the application fails to properly validate or sanitize the file paths provided in the request parameters. This allows attackers to manipulate the path traversal mechanism to access or modify files outside the intended directory structure. The vulnerability enables attackers to read sensitive configuration files, view source code, or even write malicious code to existing hook files, potentially compromising the entire Git repository and the systems hosting it. The path traversal occurs at the application level where user-supplied data directly influences file system operations without proper boundary checks or access controls.
The operational impact of this vulnerability extends beyond simple data exposure, creating significant security risks for organizations relying on Gogs for their version control infrastructure. Attackers could exploit this flaw to gain unauthorized access to sensitive repository data, modify automated workflows to execute malicious code, or even establish persistent backdoors through compromised hook files. The implications are particularly severe for organizations where Git hooks are used for continuous integration processes, automated deployments, or security checks, as these systems could be compromised to bypass security controls or inject malicious code into the development pipeline. This vulnerability essentially allows attackers to escalate privileges within the Git repository environment, potentially leading to complete compromise of the source code management system and associated development workflows.
Organizations using affected versions of Gogs should immediately implement mitigations including upgrading to patched versions 0.13.4 or 0.14.0+dev as recommended by the vendor. Additional protective measures include implementing proper access controls for Git hook editing functionality, restricting administrative privileges to trusted users only, and monitoring for unauthorized modifications to repository hooks. Security teams should also conduct comprehensive audits of existing Git hooks to identify any potential malicious modifications that may have occurred during the vulnerable period. The vulnerability aligns with CWE-22 Path Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, and maps to ATT&CK technique T1059 Command and Scripting Interpreter for executing malicious code through compromised hook files. Organizations should also consider implementing network segmentation and monitoring solutions to detect anomalous file access patterns that might indicate exploitation attempts against Git repositories.