External risk intelligence

Gogs Pull Request Branch Name Injection RCE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-52806

Gogs is a self-hosted Git service commonly deployed as a web application accessible over the network. As a collaborative development tool, it is frequently exposed to the internet or wide internal networks to facilitate remote access for users and CI/CD integrations, making the web interface and associated Git operations common internet-facing attack surfaces.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Gogs, an open-source self-hosted Git service, that allows authenticated users to execute arbitrary code on the server. The issue arises during a specific merge operation involving specially crafted branch names, potentially enabling unauthorized control over the affected systems. The main concern is confirming relevance and exposure.

  • Crafted branch names allow code execution.
  • Affects self-hosted Git services.
  • Confirm if Gogs is in use.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this vulnerability by first gaining authenticated access to the Gogs server. Once authenticated, they could craft a pull request with a malicious branch name. This crafted name would be processed during a "Rebase before merging" operation, causing the server to execute arbitrary commands and potentially leading to remote code execution.

  • Authenticated access to the server is required.
  • Specially named branch in pull request triggers vulnerability.
  • Risk of full server compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, authenticated users could achieve remote code execution on the server by creating a pull request with a specially crafted branch name that injects commands into the git rebase operation during a merge.

  • Server code execution.
  • Malicious branch name injection.
  • Compromised server.

Operational Fix

Recommended remediation, mitigation, and detection steps

System owners and platform teams are likely responsible for addressing this vulnerability in Gogs, a self-hosted Git service. The first practical step is to identify all Gogs instances, assess their reachability and business criticality, and then assign ownership for remediation, planning updates during scheduled maintenance windows.

  • Identify Gogs instances and owners.
  • Verify reachability and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gogs?

Gogs is a lightweight, self-hosted Git service that provides a web interface for managing code repositories. Teams use it to host their own version control infrastructure, similar to other Git platforms, to track code changes and collaborate on software development projects.

How does CVE-2026-52806 allow code execution?

This vulnerability is classified as CWE-77, or Command Injection. It occurs because the software fails to properly sanitize input when handling branch names. By injecting a malicious flag into a branch name, an attacker can manipulate the underlying 'git rebase' command, forcing the server to execute unintended commands.

Does any pull request trigger this vulnerability?

No. The vulnerability is only triggered during the specific 'Rebase before merging' operation. A standard pull request that does not utilize this merge option, or one that uses a standard, non-malicious branch name, will not trigger the command injection. The exploit requires the specific combination of a crafted name and the rebase operation.

Is my Gogs instance at risk?

According to Halo Surface Signal, Gogs is typically deployed as a web application accessible over a network. Because it acts as a central hub for development and CI/CD, it is often exposed to the internet or wide internal networks. If your instance is reachable by users who could create a pull request, you should consider it a relevant attack surface.

What is the first step to fix this Gogs issue?

The primary action is to update your Gogs installation to version 0.14.3 or later, which contains the fix for this vulnerability. Before applying the update, identify all running instances of Gogs in your environment, determine who owns them, and schedule maintenance to apply the upgrade.

References