Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs, an open source self-hosted Git service, had a flaw in the Mirror Settings feature that allowed any authenticated user to import local repositories. The vulnerability arose from missing validation in the SaveAddress function, enabling users to specify paths to local repositories and add them as mirrors. This permits the user to gain access to and potentially expose code or metadata stored locally on the server. The weakness is an instance of Improper Input Validation (CWE‑20).

Affected Systems

All Gogs deployments using versions older than 0.14.3 are affected. Any instance of the gogs:gogs product running before this release without the patch has the vulnerability.

Risk and Exploitability

The CVSS score of 8.1 denotes a high severity. No EPSS score is available, so the likelihood of exploitation cannot be quantified, but the issue is not listed in the CISA KEV catalog. Because the flaw is accessed through the web interface and requires only authenticated user access, it is reasonably easy to exploit for any user with valid credentials. Therefore, the risk to confidentiality and integrity of local repositories is high, while the availability impact is moderate.

Generated by OpenCVE AI on June 24, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later. This patch removes the missing validation in the Mirror Settings SaveAddress function.
  • Restrict Mirror Settings functionality to administrative or trusted users only, ensuring that ordinary authenticated users cannot import repositories from the local filesystem.
  • Verify existing user permissions and revoke any elevated access that may have been granted to populations that should not be able to import local repositories.

Generated by OpenCVE AI on June 24, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wv27-2vqp-j7g5 Gogs has the ability to import local repositories via Mirror Settings
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. This vulnerability is fixed in 0.14.3.
Title Gogs: Ability to import local repositories via Mirror Settings
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:24:21.641Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52801

cve-icon Vulnrichment

Updated: 2026-06-25T13:24:17.673Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-20

    Improper Input Validation