External risk intelligence

Gogs Path Traversal to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-52813

Gogs is a self-hosted Git service typically deployed as a web application to facilitate remote collaboration and code repository management. These services are commonly configured to be internet-facing or accessible to a wide network of remote users, making the web interface and associated endpoints reachable from outside the local environment.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Gogs, a self-hosted Git service, could allow an attacker to execute arbitrary code on your systems. This occurs when specially crafted organization names enable unauthorized access to store or retrieve repository data in unintended locations on the filesystem, potentially leading to system compromise. The primary concern is confirming if your organization uses this specific software and is exposed.

  • Code execution risk in Git service.
  • Affects how code is managed and stored.
  • Confirm use and exposure of the service.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by crafting organization names that include directory traversal sequences. This allows them to write repository files to arbitrary locations on the server. By manipulating nested repositories and their hook configurations, an attacker can achieve remote code execution.

  • Unauthenticated network access required.
  • Malicious organization name and repository structure.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, Gogs' organization names could be manipulated to store or retrieve repository data in unintended filesystem locations, potentially leading to the overwriting of hook configurations and subsequent remote code execution.

  • Repository data could be exposed.
  • Path traversal allows arbitrary file access.
  • Remote code execution may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

As Gogs is a self-hosted Git service, platform or infrastructure teams are likely responsible for its management and security. The first practical move is to identify all Gogs instances, confirm their reachability and business criticality, and then engage the accountable owner to plan remediation.

  • Platform/Infrastructure teams own this issue.
  • Verify Gogs instance reachability and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Gogs?

Gogs is an open-source, self-hosted Git service that allows teams to manage code repositories on their own infrastructure. It functions as a web-based platform for version control, offering features similar to hosted Git providers but kept within a user's private environment to facilitate code collaboration and storage.

What does CWE-23 mean for CVE-2026-52813?

CWE-23 refers to a path traversal vulnerability. In the context of CVE-2026-52813, this means the software fails to properly sanitize input, allowing an attacker to use sequences like "../" to escape intended directory boundaries. By doing so, they can read or write files anywhere on the server's filesystem, which, in this specific case, allows them to overwrite critical repository configuration files to run unauthorized commands.

How does an attacker trigger this vulnerability?

An attacker exploits this by creating a Gogs organization with a name containing path traversal sequences. This action tricks the system into storing repository data in unauthorized, arbitrary locations on the server. Simply browsing or viewing existing legitimate organizations does not trigger the bug; the attacker must have the ability to create or influence organization names within the service to initiate the path traversal.

Is my Gogs instance at high risk?

According to Halo Surface Signal, Gogs is typically deployed as a web application intended for remote collaboration, often making it internet-facing. Because this vulnerability can be triggered via the network, instances accessible from the internet or by a wide group of users are at a higher risk of being targeted by unauthorized parties.

What should I do if I use Gogs?

The first step is to locate all Gogs instances in your environment and verify their current version. If you are running a version prior to 0.14.3, you are affected by this vulnerability. Coordinate with the teams managing these servers to prioritize upgrading to version 0.14.3 or later, which contains the fix for the path traversal issue.

References