Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs’ UploadRepoFiles method only inspects the final component of an uploaded path for a symlink, ignoring any symlinks earlier in the path. An attacker with repository‑write permissions can submit a filename contains a literal backslash. On Linux, the backslash is preserved by filepath.Base and later normalized to a forward slash, allowing the write to traverse a previously‑committed directory symlink. Because iox.CopyFile opens the destination with os.Create without setting O_NOFOLLOW, the kernel follows that parent symlink and writes the attacker’s bytes to any location the Gogs process can write. This can overwrite critical files such as the .ssh/authorized_keys, granting an SSH foothold, or the repository’s .git/hooks/post‑receive, enabling remote code execution on every push.; The flaw reflects CWE‑22 (Path Traversal), CWE‑59 (Improper Handling of Symbolic Links), and CWE‑61 (Path Manipulation).

Affected Systems

All Gogs installations running a version prior to 0.14.3 are affected, including installations where the Repository.UploadRepoFiles method is used.

Risk and Exploitability

The flaw enables overwriting critical files outside the repository working tree, which can lead to remote code execution or persistent footholds. By targeting .ssh/authorized_keys the attacker can gain SSH access; by tampering with hooks/post‑receive they can execute arbitrary code on each push. The identified weaknesses are CWE‑22, CWE‑59, and CWE‑61. With a CVSS score of 9, the vulnerability is considered high severity. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation requires only repository write access because the Gogs process follows symlinks without O_NOFOLLOW, making an unpatched instance vulnerable to high‑impact attacks.

Generated by OpenCVE AI on June 25, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or later.
  • If an upgrade cannot be performed immediately, limit write access to repositories to trusted users and remove any existing symlinks.
  • Verify and clean repository trees for suspicious symlinks before re‑enabling write operations.

Generated by OpenCVE AI on June 25, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89mr-xqfv-758m Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
History

Thu, 25 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, (*Repository).UploadRepoFiles checks for symlinks only on the leaf of the upload target (osx.IsSymlink(targetPath)). The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-write access plus a multipart upload whose filename contains a literal backslash (preserved by filepath.Base on Linux, then converted to / by pathx.Clean) redirects the write through a previously-committed directory symlink. iox.CopyFile opens the destination with os.Create (no O_NOFOLLOW), so the kernel follows the parent symlink and writes attacker bytes anywhere the gogs UID can write — ~git/.ssh/authorized_keys → SSH foothold, or <repo>.git/hooks/post-receive → next-push RCE. This vulnerability is fixed in 0.14.3.
Title Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Weaknesses CWE-22
CWE-59
CWE-61
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:31:38.233Z

Reserved: 2026-06-08T18:11:06.659Z

Link: CVE-2026-52811

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:15:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')

  • CWE-61

    UNIX Symbolic Link (Symlink) Following