Asymmetric Denial of Service Vulnerability in Gogs Git Service
CVE-2026-52814

5.5MEDIUM

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
24 June 2026

What is CVE-2026-52814?

Gogs, an open-source self-hosted Git service, has a vulnerability in its built-in Go SSH server that allows unauthenticated attackers to execute an asymmetric Denial of Service attack. This vulnerability arises from the server's failure to enforce read/write deadlines on TCP connections. An attacker can exploit this by opening numerous connections to the SSH port while withholding the SSH protocol banner, causing the server to spawn an unlimited number of goroutines that block indefinitely. This can lead to file descriptor exhaustion, effectively disrupting legitimate users' access to the Git SSH service and destabilizing the overall Gogs process, resulting in issues such as internal log rotation failures. The issue has been addressed in Gogs version 0.14.3.

Affected Version(s)

gogs < 0.14.3

References

https://github.com/gogs/gogs/security/advisories/GHSA-xp7...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8335
x_refsource_MISC
https://github.com/gogs/gogs/commit/7da9cda314054501e1a79...
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.