Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Organization names containing the path‑traversal sequence "../" are accepted by older versions of Gogs. This flaw allows an attacker to create repositories that resolve to arbitrary filesystem locations, enabling the overwriting or injection of Git hook scripts. Because hook scripts run with the process’s privileges, the attacker can achieve remote code execution. The weakness is a classic path traversal flaw, classified as CWE‑23.

Affected Systems

The vulnerability exists in all Gogs releases prior to version 0.14.3. No specific patch version range beyond that is known, and all affected installations that have older releases are susceptible.

Risk and Exploitability

The CVSS score of 10 underscores the severity of this flaw, and the vulnerability is not yet listed in CISA’s KEV catalog. While the formal EPSS score is not available, the absence of an exploit in the public domain does not diminish the inherent risk; an attacker who can create an organization or repository can exploit the flaw. The attack vector is inferred to be application‑level, requiring the ability to create or modify organization names – typically achieved by an authenticated user with repository creation rights.

Generated by OpenCVE AI on June 25, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Gogs 0.14.3 update or newer.
  • Revoke or limit the ability for users to create organizations with path traversal characters and verify that existing organization names do not contain "../".
  • Review and, if necessary, restore all repository hook configurations to ensure no unauthorized code has been injected.

Generated by OpenCVE AI on June 25, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c39w-43gm-34h5 Gogs has Path Traversal in organization name that results in RCE through Git hooks
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Title Gogs: Path Traversal in organization name results in RCE through Git hooks
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:33:42.162Z

Reserved: 2026-06-08T18:11:06.660Z

Link: CVE-2026-52813

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses
  • CWE-23

    Relative Path Traversal