CVE-2026-52813 in Gogs
Summary
by MITRE • 06/25/2026
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability in Gogs represents a critical path traversal flaw that fundamentally undermines the security boundaries of the self-hosted Git service. The issue arises from insufficient input validation when processing organization names, allowing malicious actors to inject path traversal sequences such as ../ into the naming structure. When organizations are created with these malformed names, the system accepts them without proper sanitization and subsequently stores repository data according to the traversed paths rather than maintaining proper directory isolation. This vulnerability maps directly to CWE-23 Path Traversal and CWE-77 Path Traversal in the Common Weakness Enumeration catalog, demonstrating how inadequate input validation can lead to arbitrary file system access.
The operational impact of this vulnerability extends far beyond simple unauthorized file access, as it creates a pathway for remote code execution through Git hook manipulation. An attacker who successfully exploits this vulnerability can create nested repository structures that overwrite existing hooks configurations in adjacent repositories. This technique leverages the Git hook system's execution model where hooks are executed with the privileges of the repository owner, potentially enabling attackers to execute arbitrary code on the host system. The ATT&CK framework categorizes this as a privilege escalation technique through file system manipulation and potentially as a persistence mechanism when hooks are used for long-term access. The vulnerability's exploitation requires only the ability to create organizations within the Gogs instance, making it particularly dangerous in multi-tenant environments where users might have limited administrative privileges.
The remediation approach for this vulnerability involves implementing strict input validation and sanitization of organization names to reject any path traversal sequences before they can be processed by the file system operations. Version 0.14.3 introduced proper filtering mechanisms that prevent the acceptance of organization names containing ../ or similar traversal patterns, effectively closing the attack vector. Organizations using vulnerable versions should immediately upgrade to 0.14.3 or later and conduct thorough security audits of existing repositories to identify any potential exploitation attempts. Additionally, implementing proper file system permissions and access controls can serve as an additional defense in depth measure, ensuring that even if path traversal occurs, the impact remains limited. The vulnerability demonstrates the critical importance of validating user input at all levels of application processing, particularly when dealing with file system operations, and serves as a reminder of how seemingly simple input validation issues can lead to severe security consequences.