CVE-2026-52814 is a medium-severity uncontrolled resource consumption vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3.
The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn. An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures). Vulnerability Details In internal/ssh/ssh.go, the listen function contains an accept loop that spawns a goroutine for every incoming connection: The golang.org/x/crypto/ssh package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls conn.SetDeadline(), the call to NewServerConn eventually reaches io.ReadFull (inside readVersion()) and blocks forever on the kernel TCP socket waiting for the client to send the SSH-2.0-... banner. Each stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS ulimit -n limits (accept4: too many open files), completely neutralizing the service. Steps to Reproduce Environment Setup: Ensure Gogs is configured to use the built-in Go SSH server in app.ini: The Exploit (PoC): Save the following Python script as slowloris-ssh.py. This script connects to the SSH port and intentionally stalls the handshake. Execution: Run the script against the target, ensuring the number of connections (n) exceeds the server's configured file descriptor limit (e.g., 1500 for default 1024 ulimit environments): python3 slowloris-ssh.py <target-ip> 2222 1500 Observe the Impact: Attempt to connect legitimately: nc -v <target-ip> 2222. The connection will hang or be refused immediately. Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as: [clog] [file]: rename rotated file ...: no such file or directory accept4: too many open files Impact Denial of Service: Legitimate developers cannot push, pull, or clone repositories via SSH. POC:- watch the following video for poc
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
go
gogs.io/gogs (< 0.14.3)gogs.io/gogs → 0.14.3 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-52814 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-52814 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-52814 in your environment →Upgrade gogs.io/gogs to 0.14.3 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-52814 is a medium-severity uncontrolled resource consumption vulnerability in gogs.io/gogs (go), affecting versions < 0.14.3. It is fixed in 0.14.3. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
gogs.io/gogs (go) versions < 0.14.3 is affected.
Yes. CVE-2026-52814 is fixed in 0.14.3. Upgrade to this version or later.
Whether CVE-2026-52814 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade gogs.io/gogs to 0.14.3 or later.