External risk intelligence

Gogs Repository File Upload Symlink Race Condition

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-52811

Gogs is a self-hosted Git service that is commonly deployed as a web-accessible application to facilitate remote code collaboration and repository management. While it requires authenticated repository write access to trigger the specific file system vulnerability, the application itself is typically exposed as a network-facing web service.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Gogs, an open-source Git service, allows an attacker with write access to redirect file writes through a directory symlink. This could lead to unauthorized code execution or the compromise of sensitive SSH keys, enabling significant system access.

  • Attackers can write anywhere with repo permissions.
  • It could lead to remote code execution.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with write access to a repository can craft a special file upload. When this upload is processed by a vulnerable function, it can be tricked into writing files to arbitrary locations on the server. This could allow an attacker to gain unauthorized access to sensitive system files or execute code.

  • Requires authenticated repository write access.
  • Uploading a file with a specially crafted filename.
  • Arbitrary file write leading to system compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker with repository write access could redirect file writes through a previously committed directory symlink. This may allow writing arbitrary files anywhere the Gogs user can write on the system.

  • Sensitive system files or repository data.
  • Via multipart upload with crafted filename.
  • Unrestricted file writes on the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

The platform or application owners responsible for the Gogs instance should take the lead in addressing this vulnerability. The first critical step is to identify all deployed Gogs instances, determine their network reachability and business criticality, and then confirm the accountable owner for each instance before planning remediation.

  • Identify Gogs instances and owners.
  • Verify network exposure and criticality.
  • Plan remediation or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gogs?

Gogs is a lightweight, self-hosted Git server written in Go. Developers use it to manage code repositories and collaborate on projects within their own infrastructure. It functions similarly to other Git hosting platforms but provides a dedicated, private environment for version control, issue tracking, and repository management without relying on external cloud providers.

How does CVE-2026-52811 work?

This vulnerability involves Improper Neutralization of Special Elements used in a Pathname, commonly known as Path Traversal or Improper Link Following (CWE-22, CWE-59, CWE-61). In affected Gogs versions, the file upload process fails to properly check if a path contains symbolic links. An attacker can use a crafted filename to 'trick' the server into following a symlink, allowing them to overwrite sensitive system files outside of the intended repository directory.

What is required to trigger this vulnerability?

An attacker must have repository write access to the Gogs instance. They then need to perform a multipart file upload using a specially crafted filename that directs the write operation through a directory symlink. It is important to note that this bug specifically affects the 'UploadRepoFiles' function; other repository operations in Gogs already include proper symlink checks and are not subject to this specific path redirection flaw.

Is my Gogs instance at risk?

According to Halo Surface Signal, Gogs is typically deployed as a network-accessible web service to enable remote collaboration, which often places it in an internet-facing position. While the attack requires authenticated write access to a repository, any instance accessible over the network—especially one allowing public or untrusted user registration—faces a higher risk of exploitation than a purely internal, restricted-access installation.

How do I fix this Gogs security issue?

The primary response is to upgrade your Gogs software to version 0.14.3 or later, where this file path validation logic has been corrected. Before upgrading, administrators should inventory their active Gogs instances, verify their network reachability, and identify the stakeholders responsible for each deployment to ensure a coordinated and successful update process.

References