CVE-2026-52813 is a critical-severity security vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
Summary Organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). Details During organization creation, internal/database/org.go calls os.MkdirAll(repox.UserPath(org.Name)) without sanitizing org.Name. https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/database/org.go#L165 Repository creation uses this name to decide where to write the Git bare repository's (org/name.git). By setting the org name to ../../../../tmp/test, and creating a repository under that organization, it gets written under /tmp/test on the server. https://github.com/gogs/gogs/blob/d7571322a04a29476d4241406ed50bf7eef0a5b7/internal/repox/repox.go#L57-L58 An attacker can abuse this in a clever way by writing to the /data/gogs/data/tmp/local-r/1 directory, being a local worktree of the git repositories inside of Gogs. These directories are editable by Git. By creating a repository nested inside of there, files like config and hooks/update are now referenced through the path traversal, and are editable by Git. This allows the attacker to edit the hooks/update script with malicious Bash commands and then to trigger the hook. The steps to exploit this inside of Gogs are roughly (ignoring some syncing dummy actions): Create regular outer repository and get its ID Create organization named ../../../../data/gogs/data/tmp/local-r/{ID}/nested Create a repository inside this organization (eg. rce), which will be written into the local clone of the outer repository From the outer repository, edit nested/rce.git/hooks/update to contain malicious shell commands Interact with the rce repository again to trigger the updated hook, and RCE is achieved PoC Set up a default Gogs instance by saving the following content to docker-compose.yml and running docker compose up: Visit http://localhost:3000, set the Host to db:5432 and Password to gogs. Under Admin Account Settings configure your admin account As the attacker, register an account with username attacker and password attacker at http://localhost:3000/user/sign_up As the attacker, run the following script (in gist to avoid cluttering this advisory): https://gist.github.com/JorianWoltjer/4b72063338b27140f4439c524d98f2b9 The output should look like: Impact In the default setting, users can self-register and then create their own organizations. From here they can perform this exploit to achieve RCE as the git user.
CVE-2026-52813 has a CVSS score of 10.0 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.14.3). Upgrading removes the vulnerable code path.
go
gogs.io/gogs (< 0.14.3)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52813 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52813 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52813 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52813 is a critical-severity security vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
CVE-2026-52813 has a CVSS score of 10.0 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
gogs.io/gogs (go) versions < 0.14.3 is affected.
Yes. CVE-2026-52813 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52813 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.