High severityNVD Advisory· Published Jun 23, 2026

Gogs has the ability to import local repositories via Mirror Settings

CVE-2026-52801

Description

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality.

Here is the function implementation of the Mirror Settings without any validation.

PoC

The New Migration feature correctly blocked my attempt to import a local repository.

But if I create a normal migration with a valid repository.

Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository.

Here is the result after the sync.

Impact

Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gogs.io/gogsGo	< 0.14.3	0.14.3

Affected products

Gogs/Gogsllm-fuzzy

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wv27-2vqp-j7g5ghsaADVISORY
github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986cghsaWEB
github.com/gogs/gogs/pull/8225ghsaWEB
github.com/gogs/gogs/releases/tag/v0.14.3ghsaWEB
github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g5ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000