Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 10 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Organization names containing the path‑traversal sequence "../" are accepted by older versions of Gogs. This flaw allows an attacker to create repositories that resolve to arbitrary filesystem locations, enabling the overwriting or injection of Git hook scripts. Because hook scripts run with the process’s privileges, the attacker can achieve remote code execution. The weakness is a classic path traversal flaw, classified as CWE‑23.

Affected Systems

The vulnerability exists in all Gogs releases prior to version 0.14.3. No specific patch version range beyond that is known, and all affected installations that have older releases are susceptible.

Risk and Exploitability

The CVSS score of 10 underscores the severity of this flaw, and the vulnerability is not yet listed in CISA’s KEV catalog. The EPSS score of 1% indicates a low but non‑zero exploitation probability; however, the absence of a known public exploit does not diminish the inherent risk; an attacker who can create an organization or repository can exploit the flaw. The attack vector is inferred to be application‑level, requiring the ability to create or modify organization names – typically achieved by an authenticated user with repository creation rights.

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Gogs 0.14.3 update or newer.
  • Revoke or limit the ability for users to create organizations with path traversal characters and verify that existing organization names do not contain "../".
  • Review and, if necessary, restore all repository hook configurations to ensure no unauthorized code has been injected.

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c39w-43gm-34h5 Gogs has Path Traversal in organization name that results in RCE through Git hooks
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Title Gogs: Path Traversal in organization name results in RCE through Git hooks
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:38.322Z

Reserved: 2026-06-08T18:11:06.660Z

Link: CVE-2026-52813

cve-icon Vulnrichment

Updated: 2026-06-25T12:37:58.589Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses
  • CWE-23

    Relative Path Traversal