AI description
CVE-2026-52811 describes a vulnerability in Gogs, an open-source self-hosted Git service, affecting versions prior to 0.14.3. The flaw exists within the `UploadRepoFiles` function, which inadequately handles symlinks by only checking the leaf of the upload target, unlike other related file operations. An attacker with repository-write access can exploit this by performing a multipart upload where the filename includes a literal backslash. This manipulation can redirect the file write through a pre-existing directory symlink, allowing the attacker to write arbitrary data to locations accessible by the Gogs user ID. This could potentially lead to an SSH foothold or remote code execution. Windows builds are not affected due to differences in how `filepath.Base` processes backslashes and Git's default handling of symlinks on that operating system.
- Description
- Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.
- Source
- security-advisories@github.com
- NVD status
- Deferred
CVSS 4.0
- Type
- Secondary
- Base score
- 9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-22
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
3
CVE-2026-52813 & CVE-2026-52806 & CVE-2026-52811: Three RCE vulnerabilities in gogs, up to 10.0 rating 🔥 Recently disclosed vulnerabilities in gogs allow an attacker to execute arbitrary code. PoC exist for all three! 👉 https://t.co/PN3cJIwCW5 https://t.co/MUJWMlh
@Netlas_io
27 Jun 2026
453 Impressions
0 Retweets
7 Likes
0 Bookmarks
0 Replies
0 Quotes
Gogsで重大(Critical)な脆弱性3件が修正。最高CVSSスコア10。遠隔コード実行可能なパストラバーサルCVE-2026-52813、rebase引数インジェクションCVE-2026-52806、シンボリックリンクリンクを用いたファイル書き込みCVE-2026-
@__kokumoto
26 Jun 2026
609 Impressions
0 Retweets
0 Likes
2 Bookmarks
0 Replies
0 Quotes
Warning: Multiple Critical Vulnerabilities in #Gogs. CVE-2026-52813, CVE-2026-52806 & CVE-2026-52811, max CVSS: 10.0. These flaws can lead to remote code execution #RCE! #Patch #Patch #Patch More info: https://t.co/VkhJfsDYIB
@CCBalert
25 Jun 2026
291 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes