CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52806

criticalCVSS 9.9covered by 1 sourcefirst seen 2026-06-23
Gogs: RCE via git rebase --exec Argument Injection in PR Merge Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. Severity Critical - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) Affected Versions - Gogs 0.14.2 (latest supported release) - Gogs 0.15.0+dev (commit b53d3162, main branch as of 2026-03-16) - All prior versions that support the "Rebase before merging" merge style Impact This is a privilege escalation from authenticated user to server-level code execution. The attacker uses their own repository as the delivery mechanism - the target is not the repository but the Gogs server itself. On any multi-tenant Gogs instance (company, university, open source hosting), this gives one authenticated user full control of the underlying server: - Server compromise: Arbitrary command execution as the Gogs process user - Cross-tenant data breach: Read ALL repositories on the instance, including other users' private repos - Credential theft: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every user - Lateral movement: Pivot to other systems accessible from the server's network - Supply chain attacks: Silently modify any hosted repository's code. The Gogs process user (typically git) has direct filesystem-level read/write access to every repository on the instance under a single REPOSITORY_ROOT directory (default: ~/gogs-repositories). There is no OS-level isolation between repositories; all access control is application-layer only. The vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the git user (UID 1000 by default). The severity is heightened because: - Open

⚡ Watch CVE-2026-52806

Get an email if CVE-2026-52806 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-52806

CVE.org record

Embed the live status

CVE-2026-52806 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52806 status](https://www.csirts.com/badge/CVE-2026-52806)](https://www.csirts.com/cve/CVE-2026-52806)