Path Traversal Vulnerability in Gogs Git Service
CVE-2026-52813

10CRITICAL

Key Information:

Vendor

Gogs

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52813?

CVE-2026-52813 is a path traversal vulnerability found in Gogs, an open-source self-hosted Git service popular for managing Git repositories. This vulnerability allows attackers to manipulate organization names to include path traversal sequences (e.g., "../"), which enables them to store or retrieve data in arbitrary locations on the file system. Consequently, this flaw poses a significant risk as it permits the creation of nested Git repository structures. An attacker could exploit this to overwrite critical configuration files, such as hooks, leading to remote code execution (RCE). This can severely compromise the integrity and confidentiality of the affected systems and the data they hold. A fix for this vulnerability has been made available in version 0.14.3 of Gogs.

Potential impact of CVE-2026-52813

  1. Remote Code Execution (RCE): The most severe impact of CVE-2026-52813 is the potential for remote code execution. By leveraging this vulnerability, an attacker can execute arbitrary code on the server, leading to a complete compromise of the Git service.

  2. Data Integrity Compromise: Through path traversal, attackers can manipulate repository data and configurations, which can lead to unauthorized changes within projects, potentially disrupting development workflows and altering critical data.

  3. Increased Attack Surface: The ability to store data in arbitrary filesystem locations increases the attack surface, making it easier for malicious actors to plant malware, create backdoors, or launch further attacks on interconnected systems or repositories.

Affected Version(s)

gogs < 0.14.3

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.