Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs is an open source self-hosted Git service. Prior to version 0.14.3, the smart HTTP implementation authorizes POST requests to the “/git-receive-pack” endpoint based on the client‑supplied service query string. When the query string contains ?service=git-upload-pack, the server evaluates the request as read‑only access yet still routes the call to git receive‑pack, which performs a write operation. Consequently, an authenticated user with only read permissions can push arbitrary commits to otherwise be immutable, compromising repository integrity.

Affected Systems

The flaw exists in all Gogs releases prior to 0.14.3. Any installation that has not upgraded beyond that version is susceptible, regardless of the number of users or the size of the deployment.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity vulnerability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the issue by sending a POST request to a host‑based Gogs instance using the service query string ?service=git-upload-pack on the /git-receive-pack endpoint. The attack requires network connectivity to the server and valid read credentials. Based on the description, the likely attack vector is remote over HTTP, and the exploit is straightforward for anyone with read access.

Generated by OpenCVE AI on June 25, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gogs installation to version 0.14.3 or later, which includes the authorization fix for the git‑receive‑pack endpoint.
  • Reconfigure the smart HTTP service to enforce strict write permissions in accordance with CWE‑284, ensuring the service query string cannot grant unintended write access.
  • Review and adjust repository access controls to guarantee that users who have only read privileges cannot push, resetting any accidental ACLs that grant write rights to read‑only repositories.

Generated by OpenCVE AI on June 25, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmfg-5p4h-5fw3 Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.
Title Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:32:09.080Z

Reserved: 2026-06-08T18:02:19.732Z

Link: CVE-2026-52810

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses