CVE-2026-52801 in Gogs
Summary
by MITRE • 06/25/2026
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The Gogs Git service vulnerability represents a critical access control flaw that undermines the security posture of self-hosted Git repositories. This issue affects versions prior to 0.14.3 and specifically targets the mirror settings functionality within the application's administrative interface. The vulnerability manifests through insufficient input validation in the SaveAddress function, which allows authenticated users to bypass intended security controls and access repository import mechanisms that should be restricted to authorized administrators only.
The technical flaw stems from a design oversight where the mirror settings feature fails to properly validate user inputs before processing repository import requests. This validation gap enables any authenticated user within the system to leverage the SaveAddress function to import local repositories through alternative pathways that circumvent the normally protected New Migration functionality. The vulnerability effectively creates an unintended privilege escalation vector where standard users can gain access to administrative repository import capabilities.
From an operational impact perspective, this vulnerability poses significant risks to organizations relying on Gogs for code repository management. Attackers who gain access to any authenticated user account can potentially import malicious repositories into the system, creating opportunities for code injection attacks, data exfiltration, or repository compromise. The vulnerability undermines the principle of least privilege and could enable lateral movement within the organization's development infrastructure, particularly in environments where multiple developers have access to the Git service.
The security implications extend beyond simple unauthorized access as this flaw can facilitate various attack vectors including supply chain compromises through malicious code injection, persistent backdoor creation via compromised repository imports, and potential escalation to system-level access if the Git server has elevated permissions. Organizations may face compliance violations and audit failures due to unauthorized data handling capabilities that should be restricted to privileged administrators only.
Mitigation strategies should focus on immediate deployment of Gogs version 0.14.3 or later, which includes proper input validation for the SaveAddress function. Security teams should also implement network-level restrictions to limit access to administrative functions, regularly audit user permissions and repository imports, and consider implementing additional authentication layers for critical administrative operations. The vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and maps to ATT&CK technique T1078 for valid accounts and T1566 for credential theft and abuse.
Organizations should conduct comprehensive security assessments of their Git infrastructure, review access controls for repository import functions, and monitor for suspicious import activities that may indicate exploitation attempts. The fix implemented in version 0.14.3 demonstrates proper input validation practices that align with secure coding guidelines and industry best practices for maintaining application integrity while preserving legitimate user functionality within the Gogs platform's operational scope.