CVE-2026-52810 in Gogs
Summary
by MITRE • 06/25/2026
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability in Gogs versions prior to 0.14.3 represents a critical authorization bypass flaw that undermines the core security model of the Git service. This issue specifically affects the Git smart HTTP protocol implementation where the service determines access permissions based on the query string parameter provided by the client. The flaw occurs during the authentication process for git-receive-pack operations, where the system incorrectly interprets the service parameter to grant read-only access while simultaneously executing the actual push operation through git receive-pack.
The technical implementation of this vulnerability stems from a mismatch between the authorization logic and the actual command execution paths within the Git smart HTTP handler. When a client makes a request with a service parameter such as ?service=git-upload-pack, the system should only allow read operations, but due to flawed logic, it permits write operations even when the service parameter suggests otherwise. This misalignment creates an opportunity for unauthorized users to perform push operations on repositories where they only have read access rights.
The operational impact of this vulnerability is significant as it allows attackers to bypass repository access controls and potentially compromise the integrity of source code stored within the Gogs instance. An attacker could exploit this flaw to push malicious code, modify existing files, or even delete branches from repositories that should be protected from write access. This represents a direct violation of the principle of least privilege that governs secure software development practices.
This vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and maps to ATT&CK technique T1078.004 related to valid accounts for lateral movement. The flaw essentially allows privilege escalation through improper access control enforcement, making it particularly dangerous in environments where multiple users share the same Git instance. Organizations using affected Gogs versions face risks of code injection, data corruption, and potential compromise of their entire development infrastructure.
The fix implemented in version 0.14.3 addresses this by ensuring that the authorization logic properly validates the service parameter against the actual Git command being executed. This patch corrects the fundamental mismatch between access control decisions and command execution paths, thereby restoring proper authentication controls for Git smart HTTP operations. Organizations should immediately upgrade to version 0.14.3 or later to remediate this vulnerability and prevent potential exploitation by malicious actors who might attempt to leverage this authorization bypass for unauthorized code modifications.