VYPR
Vypr IntelligenceAI-generatedJun 24, 2026· 18 CVEs

Gogs: 18 Vulnerabilities Including RCE and Auth Bypass Disclosed in Batch

A batch of 18 vulnerabilities, including critical RCE and high-severity flaws, were disclosed for the Gogs self-hosted Git service from June 22-24, 2026.

Key findings

  • 18 vulnerabilities disclosed for Gogs between June 22-24, 2026, ranging from medium to critical severity.
  • Critical RCE vulnerabilities include path traversal (CVE-2026-52813) and git rebase argument injection (CVE-2026-52806).
  • High-severity flaws encompass LFS path leaks (CVE-2026-52812), auth bypass via reverse proxy headers (CVE-2026-25119), and CSRF leading to owner takeover (CVE-2026-52800).
  • Multiple vulnerabilities affect authorization, input sanitization, and authentication mechanisms in Gogs.
  • Users are urged to update Gogs instances to patched versions to mitigate significant security risks.

On June 23, 2026, a significant batch of 18 vulnerabilities was disclosed for the Gogs self-hosted Git service, spanning a two-day disclosure window from June 22 to June 24. The vulnerabilities, ranging in severity from medium to critical, expose Gogs instances to various risks including remote code execution, data breaches, and denial of service.

Several critical vulnerabilities highlight severe security weaknesses:

  • CVE-2026-52813 and CVE-2026-52811 allow for Remote Code Execution (RCE). CVE-2026-52813 exploits path traversal in organization names to write repository data to arbitrary filesystem locations, potentially leading to RCE through Git hooks. CVE-2026-52811 allows file uploads to write outside the repository working tree via committed parent symlinks.
  • CVE-2026-52806 also enables RCE through argument injection in the pull request merge functionality, specifically via git rebase --exec.

High-severity vulnerabilities include:

  • CVE-2026-52812 (LFS dedupe path leak) and CVE-2026-52805 (Migration Redirect Bypass leading to Internal Repository Theft) pose risks of unauthorized access to private repository content and internal data.
  • CVE-2026-52810 allows users to write to read-only repositories by exploiting a confusion between git-receive-pack and git-upload-pack services over HTTP.
  • CVE-2026-52800 details a Cross-Site Request Forgery (CSRF) vulnerability that can lead to an organization owner takeover by adding an attacker-controlled user to the Owners team.
  • CVE-2026-52799 involves missing authorization in attachment downloads, allowing unauthenticated users to download attachments from associated issues, comments, or releases.
  • CVE-2026-52798 describes a Stored Cross-Site Scripting (XSS) vulnerability in the preview of .ipynb files, where client-side re-rendering without sanitization allows for malicious script execution.
  • CVE-2026-25119 presents an Authentication Bypass via unvalidated reverse proxy headers when ENABLE_REVERSE_PROXY_AUTHENTICATION is enabled, allowing remote attackers to forge authentication headers.
  • CVE-2026-52801 allows the import of local repositories via Mirror Settings due to a lack of validation in the SaveAddress function, presenting an alternative attack vector to the more protected New Migration functionality.

Medium-severity issues include:

  • CVE-2026-52795 is an Authorization Bypass in the Watch API, allowing any user to monitor private repository activity.
  • CVE-2026-52816 involves an Unauthenticated Jupyter Notebook (ipynb) Sanitizer vulnerability that permits arbitrary data: URIs, leading to XSS.
  • CVE-2026-52815 allows Unauthenticated Organization Teams Information Disclosure via an API endpoint.
  • CVE-2026-52814 describes an Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall, leading to file descriptor exhaustion.
  • CVE-2026-52809 highlights an issue where password-reset tokens use the account-activation lifetime instead of the intended reset password lifetime.
  • CVE-2026-52802 is an Open Redirect vulnerability via the redirect_to parameter.
  • CVE-2025-64719 details a Denial of Service in repository/wiki file listing web pages, where creating a new file can cause HTTP 500 errors and make the interface unusable.

The batch of vulnerabilities was disclosed by multiple researchers, with the majority of critical and high-severity issues published on June 23, 2026. The wide range of vulnerabilities, from RCE to information disclosure and DoS, underscores the need for Gogs users to update to patched versions as soon as possible. Specific version information for fixes is not detailed in the provided CVE data, but users should consult official Gogs advisories for the latest patch information.

This extensive disclosure event highlights critical security gaps in Gogs, particularly concerning authorization, input sanitization, and authentication mechanisms. Users are strongly advised to review their configurations and apply necessary updates to mitigate the risks posed by these vulnerabilities. The clustering of these disclosures suggests a thorough security audit or a coordinated disclosure effort, emphasizing the importance of timely patching for self-hosted Git services.

AI-written article. Grounded in 18 CVE records listed below.