CRITICAL🇵🇱 Wersja polska

CVE-2026-52813

CVSS 10.0v3.1pub. 2026-06-24upd. 2026-06-26

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.

🤖 AI Analysis
How it works

The Gogs application does not properly validate organization names for path traversal sequences (../). As a result, repositories created within such organizations are physically stored in paths resulting from directory redirection — that is, outside their designated file system area. An attacker can create nested Git repository structures in such a way as to overwrite the hook configuration of another repository. Since Git hooks are executable on the server side, overwriting their contents allows arbitrary code execution in the context of the server process.

Impact

An unauthenticated attacker can gain full control over the server by executing arbitrary code (RCE), as well as write and read data anywhere in the file system, threatening the confidentiality, integrity, and availability of the system.

Mitigation & patch

Gogs should be updated to version 0.14.3 or later, which contains a patch eliminating the acceptance of path traversal sequences in organization names. The patch is available in the vendor's references and in the Gogs GitHub repository.

Who is affected

Gogs in versions before 0.14.3 (all self-hosted instances with the ability to create organizations).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References