Server-Side Request Forgery in Gogs Git Service by Gogs
CVE-2026-52805

8.7HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52805?

A Server-Side Request Forgery (SSRF) vulnerability in Gogs allows authenticated users to exploit the repository migration feature. This occurs when a user submits a public URL that redirects to a restricted internal endpoint, such as 127.0.0.1. As a result, the internal repository contents can be imported into a repository controlled by the attacker. The issue has been resolved in Gogs version 0.14.3 to enhance security.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-g2f...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8324
x_refsource_MISC
https://github.com/gogs/gogs/commit/b9a0093e9cd1b2b3c7f42...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.