Path Traversal Vulnerability in Gogs Git Service
CVE-2026-52813
What is CVE-2026-52813?
CVE-2026-52813 is a path traversal vulnerability found in Gogs, an open-source self-hosted Git service popular for managing Git repositories. This vulnerability allows attackers to manipulate organization names to include path traversal sequences (e.g., "../"), which enables them to store or retrieve data in arbitrary locations on the file system. Consequently, this flaw poses a significant risk as it permits the creation of nested Git repository structures. An attacker could exploit this to overwrite critical configuration files, such as hooks, leading to remote code execution (RCE). This can severely compromise the integrity and confidentiality of the affected systems and the data they hold. A fix for this vulnerability has been made available in version 0.14.3 of Gogs.
Potential impact of CVE-2026-52813
-
Remote Code Execution (RCE): The most severe impact of CVE-2026-52813 is the potential for remote code execution. By leveraging this vulnerability, an attacker can execute arbitrary code on the server, leading to a complete compromise of the Git service.
-
Data Integrity Compromise: Through path traversal, attackers can manipulate repository data and configurations, which can lead to unauthorized changes within projects, potentially disrupting development workflows and altering critical data.
-
Increased Attack Surface: The ability to store data in arbitrary filesystem locations increases the attack surface, making it easier for malicious actors to plant malware, create backdoors, or launch further attacks on interconnected systems or repositories.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
gogs < 0.14.3
