Six Flaws in Self-Hosted Git Service Gogs, Unauthenticated Takeover (CVE-2026-52813 and More) — Update to v0.14.3
Gogs, a lightweight Git service for managing source code on your own server, has six vulnerabilities. The most serious, CVE-2026-52813, is a CVSS 10.0 that takes over the server without authentication. Others include code execution and admin-rights seizure. Versions before 0.14.3 are affected; a single update fixes them all. If you self-host Gogs, update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Gogs, a lightweight Git service for managing source code on your own server, has six vulnerabilities. The most serious, CVE-2026-52813, is a CVSS 10.0 that takes over the server without authentication. Others include code execution and admin-rights seizure. Versions before 0.14.3 are affected; a single update fixes them all. If you self-host Gogs, update now.
Gogs, a lightweight Git service for managing source code on your own server, has been found to contain six vulnerabilities (software flaws) at once. The most serious, CVE-2026-52813, scores a 10.0 out of 10 (the maximum) and lets an attacker take over the server without authentication.
All six were reported by GitHub and disclosed on June 24, 2026. The fixes are included in 0.14.3. They include one that writes files to places they should not be to take over the server and ones that let a logged-in user run code, so if you self-host Gogs, you need to update now.
What kind of software is Gogs?
Gogs is software that lets you run a Git service on your own server for storing and sharing program source code. It is like a self-hosted version of GitHub, handling repositories (storehouses for code), team collaboration, and change history. Written in Go, it is very lightweight—it runs on just 64 MB of memory—and it has been open source (MIT license) since 2014.
For its simplicity, it is used in place of GitHub on company and personal servers and home servers (homelabs). Because it holds source code, a company's core asset, a takeover has a large impact. All six flaws this time are fixed in 0.14.3.
Who targets it, what they do, and what happens
For the most dangerous flaw, CVE-2026-52813, the targets are any server running Gogs on the network. This flaw requires no login, and any attacker in a position to reach the server with a request can carry it out. Instances published with open account registration widen the entry point especially.
What an attacker does is abuse a name containing a "../" string that moves up a directory level to write files to places they should not, and ultimately run arbitrary code on the server where Gogs runs. The other flaws can also lead to code execution by a logged-in user, seizure of administrator privileges, and behind-the-scenes connections into the internal network.
Once the server is taken over, it can lead to stealing or tampering with stored source code, supply-chain poisoning where malicious traps are planted in the code, and even expanding intrusion using the same server as a foothold. The impact of a compromised development foundation can reach every product built downstream. Inspecting the components and services you bring in from outside is worth revisiting alongside the ideas in our OSS supply-chain scanner overview. Vulnerabilities that begin to be used in attacks can be tracked in our CISA KEV Dashboard (Japanese edition).
What the six vulnerabilities are
We look at them from most to least severe. Only CVE-2026-52797 is fixed in 0.14.0; the rest are fixed in 0.14.3.
CVE-2026-52813: server takeover without authentication (CVSS 10.0)
According to the published information, an organization (group) name containing a "../" string can be created, slipping past input checks to write repository data to an arbitrary location. Git has a mechanism called "hooks"—scripts that run automatically on certain operations. By nesting repositories cleverly, an attacker overwrites this hook configuration and can run arbitrary code with no authentication and no luring of any user (GHSA-c39w-43gm-34h5). With its maximum score of 10.0, it is the top priority to close.
CVE-2026-52806: command injection from a pull-request branch name (CVSS 9.9)
In this flaw, when a logged-in user creates a pull request (a request to merge changes) with a specially crafted branch name, an "--exec" execution option is injected into the git command used during the merge, and arbitrary code runs on the server (GHSA-qf6p-p7ww-cwr9).
CVE-2026-52798: stored XSS in Jupyter notebook previews (CVSS 8.9)
In its preview of Jupyter notebooks (.ipynb), Gogs sanitized on the server side but did not sanitize the content when re-rendering it on the client side. Planting a link beginning with "javascript:" in a malicious notebook makes a script run when clicked, achieving stored XSS (an embedded malicious script) within Gogs.
CVE-2026-52800: seize administrator rights by getting a trap link clicked (CVSS 8.8)
This flaw is that organization member management lacked CSRF (request forgery) protection and could be operated with just a GET request. By getting a logged-in organization owner to click a crafted link, an attacker can add their own account to the Owners team and seize the organization's administrative rights wholesale.
CVE-2026-52805: behind-the-scenes connection to internal targets via the migration feature (CVSS 8.7)
This flaw is that the repository migration (import) feature does not sufficiently check the redirect destination. An attacker specifies a URL that looks legitimate at first but redirects to an internal blocked address along the way, and can import the contents of an internal repository into their own repository (SSRF).
CVE-2026-52797: out-of-path writes by crafting git diff (CVSS 8.5)
In this flaw, an authorized user crafts the values passed to the git diff command, slips past the filter, and can write the comparison results to an arbitrary location. This one is fixed in 0.14.0.
A quick reference of preconditions and severity
The six differ in "whether a login is needed" and "what must be clicked." All but CVE-2026-52797 are fixed in 0.14.3; 52797 is fixed in 0.14.0.
| CVE | Severity | Login | What can happen |
|---|---|---|---|
| 52813 | 10.0 | Not needed | Arbitrary code exec (server takeover) |
| 52806 | 9.9 | Needed | Arbitrary code exec |
| 52798 | 8.9 | Needed | Stored XSS |
| 52800 | 8.8 | Not needed (trap link) | Seize admin rights |
| 52805 | 8.7 | Needed | Connect to internal targets (SSRF) |
| 52797 | 8.5 | Needed | Out-of-path writes |
The top priority is CVE-2026-52813. Because it takes over the server without authentication, instances exposed to the internet should act especially urgently.
What to do now
The top priority is to update Gogs to 0.14.3 or later. Get the latest version from the official releases. This single update closes all six flaws at once.
If you cannot update immediately, these mitigations help: temporarily disable open account registration, and do not expose Gogs directly to the internet—limit connections to a range only trusted users can reach. Also inspect for any unfamiliar organizations or owner additions, suspicious repository or hook changes, and unfamiliar files. If a takeover is suspected, the safe move is to rotate the credentials and access tokens stored on the server after updating.
Summary
The six flaws found in Gogs are varied—led by the maximum-score CVE-2026-52813 (server takeover without authentication), with code execution, seizure of administrator rights, internal connections, and XSS. Severity ranges from 8.5 to 10.0, they affect versions before 0.14.3 (52797 before 0.14.0), and they are fixed together in 0.14.3.
Because a Git service holds source code—a core asset—a takeover's damage reaches products downstream. If you self-host Gogs, first check your version and, if it is old, update now. If new vulnerabilities concerning Gogs emerge, we will track them by adding to this article.
References
- ▸NVD - CVE-2026-52813 (server takeover without authentication, CVSS 10.0)
- ▸NVD - CVE-2026-52806 (command injection from branch name)
- ▸NVD - CVE-2026-52798 (stored XSS in notebook previews)
- ▸NVD - CVE-2026-52800 (CSRF seizing admin rights)
- ▸NVD - CVE-2026-52805 (SSRF in migration feature)
- ▸NVD - CVE-2026-52797 (out-of-path write via git diff)
- ▸Gogs Security Advisories (GitHub, reporter)
- ▸GitHub - gogs/gogs releases (0.14.3)
- ▸Gogs official site (product overview)