Skip to main content

Gogs EUVDEUVD-2026-39070

| CVE-2026-52801 HIGH
Improper Input Validation (CWE-20)
2026-06-23 https://github.com/gogs/gogs GHSA-wv27-2vqp-j7g5
8.1
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Network-reachable web UI, low-priv authenticated user, no UI; high confidentiality from local repo read, low availability from SSRF/mirror noise, no integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 00:27 vuln.today
Analysis Generated
Jun 23, 2026 - 00:27 vuln.today

DescriptionCVE.org

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality. <img width="1200" height="755" alt="image" src="https://github.com/user-attachments/assets/a6c2f307-715e-4451-bbc1-7bd934d56f96" />

Here is the function implementation of the Mirror Settings without any validation. <img width="1200" height="477" alt="image" src="https://github.com/user-attachments/assets/a11c41b8-1d08-499c-bce6-ab40844211d7" />

PoC

The New Migration feature correctly blocked my attempt to import a local repository. <img width="1200" height="1008" alt="image" src="https://github.com/user-attachments/assets/dfc5aa3f-1cc4-427d-b7fe-274363c83c4e" />

But if I create a normal migration with a valid repository. <img width="1200" height="1006" alt="image" src="https://github.com/user-attachments/assets/c96b356e-8ca9-4e79-a69b-ff14593c0cac" />

Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository. <img width="1200" height="476" alt="image" src="https://github.com/user-attachments/assets/9105475c-ae68-4d93-96d5-a3ec356deba7" />

Here is the result after the sync. <img width="1200" height="533" alt="image" src="https://github.com/user-attachments/assets/1df76642-3e55-4493-a422-f7f0619b463d" />

Impact

Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.

AnalysisAI

Local repository import and blind SSRF in Gogs versions prior to 0.14.3 allows authenticated users to bypass clone-address validation via the Mirror Settings feature. The SaveAddress path in repository Mirror Settings omitted the validation applied to New Migration, letting any authenticated user point a mirror at a local filesystem path or internal address. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Gogs with low-privileged account
Delivery
Create repository via normal migration
Exploit
Open Repository Settings Mirror form
Install
Submit local path or internal URL as MirrorAddress
C2
SaveAddress stores it without validation
Execute
Mirror sync reads local repo or hits internal service
Impact
Exfiltrate code or infer internal topology

Vulnerability AssessmentAI

Exploitation Requires an authenticated Gogs account that can create or own at least one repository and access Repository Settings > Mirror Settings; the target Gogs instance must be running a version below 0.14.3 and must have local filesystem repositories or internal network services reachable from the Gogs process for the impact to be meaningful. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 base score 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) is plausible: network-reachable web UI, low complexity, only a low-privileged authenticated user with a repository is needed, no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any authenticated Gogs account creates a normal repository migration from a benign remote URL, then opens Repository Settings and submits a Mirror Address of file:///srv/gogs/repositories/<victim>/<repo>.git or an internal URL such as http://169.254.169.254/latest/meta-data/. On the next mirror sync, Gogs reads the local repository contents or issues the internal request, exposing other tenants' code or probing internal services blindly via timing and error responses.
Remediation Vendor-released patch: upgrade Gogs to 0.14.3 or later (https://github.com/gogs/gogs/releases/tag/v0.14.3), which routes Mirror Settings through the same ParseRemoteAddr validator used by New Migration (PR https://github.com/gogs/gogs/pull/8225, commit 11e19f28b5c82466fd1689c94344ef4313ee986c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Gogs instances running versions prior to 0.14.3 and document users with repository creation/mirroring permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy